XSS - Multilevel HTML parsing: JS for Pentesters task 19 write up
writeup for task-19 of the JS for pentesters series by security-tube - Multilevel HTML parsing
In the last challenge we saw how can we receive and parse an HTML file that we get back as a result of a successful
XMLHttpRequest(). But when we take it to the next level, things became a bit more difficult. Let us now see how to do a multilevel HTML parsing in order to solve a challenge.
JS for Pentesters task 19
Our objective is to Find John’s Credit Card Number using an XSS vulnerability on this page and Display the Credit Card Number in the div with id “result”. Here the challenge is very easy but a bit time consuming to construct the correct payload. The working payload looks like this:
What we are doing here is very simple. Since we have to parse multiple HTML page (to be precise, 2 HTML pages) we need to specify more than 1
XMLHttpRequests (2 to be precise). So we declared 2 XMLHttpRequest(), we called the first request and when it is successfully done, we call the 2nd one within the first one from which we will get the credit card number. Then we will use that number to display it in the “result” id in the main page.
We hope that you really liked this challenge. If there is anything you didn’t understand or wanted to get more clarity, please comment down and we are more than happy to help. Also, if you get a better way of solving the challenge, please share it with us and we are happy to learn from our readers too. Happy pentesting..