XSS - including external js file: JS for Pentesters task 9 write up
writeup for task-9 of the series JS for pentesters by security-tube - Including external JS
This challenge is a bit different from the ones that we did till now. Consider a case where you found out an XSS vulnerability but you can enter only limited number of characters through the XSS parameter but you need to do a lot more than that. What will you do ? A possible way is to add the script inside a file and try to inject that file via the xss. Let us see this with an example:
JS for Pentesters task 9
Our objective is to Include an external JS file into this page and Code inside that JS should pop the cookie inside an alert box.
So the first task is to write a .js file and host it somewhere so that it can alert the cookie. The code for the same is:
<script> tag. So consider we created a file
cookie.js which contains the code to alert the cookie. Now we should host the script somewhere so that it can be accessed via public URL. So I uploaded the script to my blog and tried to inject it to the challenge. The payload looks like this:
We hope that you really liked this challenge. If there is anything you didn’t understand or wanted to get more clarity, please comment down and we are more than happy to help. Also, if you get a better way of solving the challenge, please share it with us and we are happy to learn from our readers too. Happy pentesting..