XSS - Event listener: JS for Pentesters task 8

Oct 27, 2014 • jsp, javascript, security-tube

writeup for task-8 of JS for pentesters series by security-tube - XSS event handlers

We have already seen may challenges write up before that use event listeners like Capturing all mouse clicks and redirecting, etcc… before and this is a challenge which is much easier than any of the event listener challenge we have done before. Let us see what the task is:

JS for Pentesters Task 8

Our Objective is to Pop the password in an alert box when the user submits the form. But here there is difference from the other challenges that we have to find out an XSS vulnerability ourselves and there is nothing like a URL parameter which is vulnerable to attack like had in the other challenges. So we have to find out where the vulnerability is first. So the first spot to try is the username column. Lets try injecting an onmouseover event listener on the username/email parameter:

    admin"onmouseover="alert(1);

Give a random password and press sign in. Then if you put the mouse over the email field, you can see an alert and hurraaayyy, we got the XSS. Now our objective is to modify the same payload so that it will pop up the password field when user clicks on signin. Now here is a modified payload that popup the password:

    "onmouseover="
    function intercept () {
    var pass = document.forms[0].elements[1].value;
    alert(pass);
    }
    document.forms[0].onsubmit = intercept;

Let us see what we did above. Basically we modified the simple XSS script we wrote above (to find XSS) and instead of an alert box, we added one more event listener which executes a function on submitting the form. The function will then access the user inputted value and pops it up in an alert box.

Note:

1) While playing with XSS challenges, it is always recommended to use Mozilla Firefox because Google chrome has inbuilt XSS stopper which will stop us from executing arbitrary JavaScript code even if the page is vulnerable to XSS. So its strongly recommended to use Firefox instead of chrome.

We hope that you really liked this challenge. If there is anything you didn’t understand or wanted to get more clarity, please comment down and we are more than happy to help. Also, if you get a better way of solving the challenge, please share it with us and we are happy to learn from our readers too. Happy pentesting..

Anirudh Anand

Head of Product Security & DevSecOps at @CRED_club | Application Security ♥ | CTF lover - @teambi0s | Security Trainer - @7asecurity | certs - eWDP, OSCP, OSWE