XSS - posting with XMLHttpRequest(): JS for Pentesters task 13
writeup for task-13 of the JS for pentesters series by security-tube - XSS posting with XMLHTTPRequest()
We have already completed the challenge in which we steal from Auto Complete. Now this is the same challenge but the condition is that we need to use XMLHttpRequest to complete the challenge. If you are not familiar with XMLHttpRequest, I strongly recommend you to read the post “Everything you should know about XMLHttpRequest()”. Reading about XMLHttpRequest() basics will help you understand more and how to crack this challenge.
JS for Pentesters task 13
Our objectives are Write JS attack code which waits for 10 seconds, then submits the form automatically to your Attack server using an XMLHttpRequest() call. Let us see how this can be done.
So lets see what are we doing here. First we are declaring 2 variables with which we takes in the username and password that the user enters. Then we use the window.setTimeout() function which will execute a function after 5000 milliseconds or 5 seconds. Inside the function, we are declaring a new XMLHttpRequest() object using which we are sending data to our server (I used to host an HTTP server locally).
We hope that you really liked this challenge. If there is anything you didn’t understand or wanted to get more clarity, please comment down and we are more than happy to help. Also, if you get a better way of solving the challenge, please share it with us and we are happy to learn from our readers too. Happy pentesting..