XSS - Social Engineering: JS for Pentesters task 5 write up

Oct 24, 2014 • jsp, javascript, xss, security-tube

writeup for task-5 of JS for pentesters series by security-tube - Social Engineering

We have already seen some good challenges from Pentester Academy like Hijacking Form submit and adding a new form element etc…  This challenge is a bit more exciting one than the ones we solved till now. Let us try a Social Engineering technique with XSS.

JS for Pentesters task 5

Our objective of this challenge is to Remove the Form and add a notification “Website is Down! Please visit SecurityTube.net”.  Now let us see how can we solve this:

As always, you can see that there is an XSS vulnerability via the URL parameter. The first thing we should do is to remove the form. For that, we can select the Form we need to remove first and then add a notification at the same place saying that the particular website is down with a link to the attacker server. The payload looks like this:

    <script>
    var remove = document.getElementsByTagName("form")[0];
    rem.parentNode.removeChild(remove);
    document.write('Website is Down! Please visit '+'SecurityTube.net'.link('http://www.securitytube.net'));
    </script>

Let us analyse how the payload works. At first, we are getting the form element that we need to a variable named remove. Then we are simply removing the form using the removeChild() function in JavaScript which is usually used to remove elements. We also need to print a form saying that the site is down and tempting the user to visit a URL, which can be done using the document.write() function in JavaScript which is used to print something to a webpage.

Inside the document.write(), I split the string into 2 parts, with a ‘+’ operator in between. The reason why I did was that the 2nd part should be printed as a link so that users can click on it. In order to print the string which points to a URL (like an href tag in html) we used the function .link() in JavaScript, which accepts a url as an argument and converts the string into a clickable URL while printing it into the webpage.

Note:

1) While playing with XSS challenges, it is always recommended to use Mozilla Firefox because Google chrome has inbuilt XSS stopper which will stop us from executing arbitrary JavaScript code even if the page is vulnerable to XSS. So its strongly recommended to use Firefox instead of chrome.

2) The solutions written above is the way we cracked the problem which might be different from the solution videos provided by the SecurityTube. If you need the solution video, you have to subscribe to PentesterAcademy.

We hope that you really liked this challenge. If there is anything you didn’t understand or wanted to get more clarity, please comment down and we are more than happy to help. Also, if you get a better way of solving the challenge, please share it with us and we are happy to learn from our readers too. Happy pentesting..

Anirudh Anand

Web Application Security ♥ | Google, Microsoft, Zendesk Security Hall of Fames | Blogger by chance | CTF lover | Certifications - eWDP