XSS - fetching data with XMLHttpRequest: JS for Pentesters task 14

Oct 31, 2014 • jsp, javascript, xss, security-tube

writeup for task-14 of JS for pentesters series by security-tube - Fetching data with XMLHTTPRequest

Recently we saw an introduction challenge to XMLHttpRequest() which was quite easy and covers only the basics of the same. Now this is a bit advanced comparing to the basic one. Let us look into the challenge:

JS for Pentesters task 14

Our objective is to Find John’s Email Address using an XSS vulnerability on this page and Display the Email address in the div with id “result”. So when you check the source code of the challenge, you can see that we need to send a GET request to “/lab/webapp/jfp/14/email” with the parameter name = John which will return the email address for you. We should display this email address in the webpage. Before continuing this challenge, I strongly recommend you to read this: “Everything you should know about XMLHttpRequest()”. Let us look into the payload:

        var request = new XMLHttpRequest();    
        request.onreadystatechange = function() {
            if (request.readyState == 4 && request.status == 200) {
                document.getElementById("result").innerHTML = request.responseText;
        request.open("GET", "/lab/webapp/jfp/14/email?name=john", true);

Now how is this working ? First, we are creating a new XMLHttpObject() and use it as a GET request to the specified link. Then when the request has been done successfully and response is ready, we put the response inside the result element and there, we cracked the challenge.


1) If you didn’t understand the payload properly, I strongly recommend you read the basics of XMLHttpRequest() first and then try again.

2) While playing with XSS challenges, it is always recommended to use Mozilla Firefox because Google chrome has inbuilt XSS stopper which will stop us from executing arbitrary JavaScript code even if the page is vulnerable to XSS. So its strongly recommended to use Firefox instead of chrome.

3) You have to URL encode the payload before the injection via the url parameter or else this will fail to work

We hope that you really liked this challenge. If there is anything you didn’t understand or wanted to get more clarity, please comment down and we are more than happy to help. Also, if you get a better way of solving the challenge, please share it with us and we are happy to learn from our readers too. Happy pentesting..

Anirudh Anand

Security Engineer @flipkart | Web Application Security ♥ | Google, Microsoft, Zendesk, Gitlab Hall of Fames | Blogger | CTF lover - @teambi0s | certs - eWDP, OSCP