XSS - Replacing images: JS for Pentesters task 11 write up

Oct 30, 2014 • jsp, javascript, xss, security-tube

writeup for task-11 of the series JS for pentesters by security-tube - Replacing Images

This is one of the interesting challenges from Pentester Academy but a very easy one. This is like a typical noobs where once they got access to a server, first thing to do is to deface the server. We are actually not doing a deface but something similar. Let us see the challenge:

JS for Pentesters task 11

Our objective of this challenge is to Replace the Pentester Academy Banner image with a Defacement Image. Now let us see how can we crack this challenge. After analyzing the source code, we can understand one thing that there is only one <img> tag in the whole source code.

This makes our work much easier. Since there is only 1 <img> tag, all we have to do is to select the <img> tag and change its src attribute. The payload will look like this:

    var script = document.getElementsByTagName('img')[0];
    script.src = "http://3.bp.blogspot.com/-l8tr4nV1df8/UgYGrFdkhNI/AAAAAAAAAJ8/KRnaurbiZ68/s1600/hacked.jpg";

So what we did was to create a new variable named script and we assigned it with the first <img> tag using document.getElementByTagName(). Then we changed its <img src "" > attribute to a new URL which will get substituted in the place of original Pentester academy logo.


1) While playing with XSS challenges, it is always recommended to use Mozilla Firefox because Google chrome has inbuilt XSS stopper which will stop us from executing arbitrary JavaScript code even if the page is vulnerable to XSS. So its strongly recommended to use Firefox instead of chrome.

We hope that you really liked this challenge. If there is anything you didn’t understand or wanted to get more clarity, please comment down and we are more than happy to help. Also, if you get a better way of solving the challenge, please share it with us and we are happy to learn from our readers too. Happy pentesting..

Anirudh Anand

Security Engineer @flipkart | Web Application Security ♥ | Google, Microsoft, Zendesk, Gitlab Hall of Fames | Blogger | CTF lover - @teambi0s | certs - eWDP, OSCP