XSS Ajax, Secondary Form not POSTing Properly

Question

I am trying to inject code into a second page (XSSthissite), following a button click on this custom html page. I am able to redirect to the second page by having a javascript function that calls a form using Ajax. Technically, examining developer tools, it appears that the POST goes through, however it fails to actually login/redirect, and the fields do not appear populated. Specifically, rather than the 302 POST redirect I would receive if data is manually submitted on that page, I am seeing a 200 POST. Any idea why?

<!DOCTYPE html>
<html>
  <head>
    <meta charset="UTF-8" />
    <title>Having Fun on a Tuesday</title>
    <script src="https://ajax.googleapis.com/ajax/libs/jquery/3.3.1/jquery.min.js"></script>

    <form action="" method="POST" id="second">
      <input type="hidden" name="aufnausindulasdnf" value="aufnausindulasdnf"/>
      <input type="hidden" name="treasure" value="urghrugh?"/>
      <input type="hidden" name="login" value="testing" />
      <input type="hidden" name="password"/>
      <input type="hidden" name="action" value="entryway" />
    </form>

    <script>
    function submitFormAjax() {
      window.location.assign("http://XSSthissite");
      $("#second").submit(function(e) {
          e.preventDefault();
          $.ajax({
            url: 'http://XSSthissite',
            type: "POST",
            // data: $(this).serialize(),
          });
        });
        $("#second").trigger('submit');
      }
    </script>

  </head>
  <body>
    <form onsubmit="" method="POST" action="" >
      <input id="login_target" value="username"/>
      <button type="button" id="unique" onclick="submitFormAjax()">MESSAGE</button>
    </form>

  </body>
</html>

Updated code with location and Ajax removed. Still POSTS - and populates all fields, but refuses to submit!

<!DOCTYPE html>
<html>
  <head>
    <meta charset="UTF-8" />
    <title>Having Fun on a Wednesday</title>       
  </head>
  <body>
      <input id="login_target" value="username"/>
      <button type="button" id="unique" onclick="submitForm()">MESSAGE</button>

    <form action="http://XSSthissite" method="POST" id="second">
      <input type="hidden" name="aufnausindulasdnf" value="aufnausindulasdnf"/>
      <input type="hidden" name="treasure" value="urghrugh?"/>
      <input type="hidden" name="login" value="testing" />
      <input type="hidden" name="password"/>
      <input type="hidden" name="action" value="entryway" />
    </form>

    <script>
    function submitForm() {
         document.getElementById("second").submit()
    }
    </script>
  </body>
</html>

score 1 · Answer 1 · answered Nov 07 '18 at 03:56

1

On your submitFormAjax you have this line:

window.location.assign("http://XSSthissite");

That line change the current URL of your site to "http://XSSthissite" (http 200), with this you bypass the binding of the submit function to the second button.

Try to send the info without changing the current URL, but have in mind if "http://XSSthissite" doesn't have CORS enabled you cannot do the POST from a different origin, this happen by design of the browser's security.

PS: your second form are over the "head" tag, put the form inside the body as a good practise on HTML. Also the "script" section. Refer: Why scripts at the end of body tag

answered Nov 07 '18 at 03:56

HolloW

720
11
21

Thanks for the suggestions! However I am still having the same issue, even with the redirect removed and the script moved. The Ajax didn't seem to be making a difference so I simplified. My updated code is added to the original comment. – csapidus Nov 07 '18 at 22:43
On the web debugger, what do you see over the "network" tab when you hit the submit button? – HolloW Nov 09 '18 at 01:42
I see a 200 Post – csapidus Nov 10 '18 at 17:40
What do you expect happen when submit the form? – HolloW Nov 10 '18 at 21:35
I expect it actually login. It only populates the form fields, but does not actually submit – csapidus Nov 12 '18 at 17:47

XSS Ajax, Secondary Form not POSTing Properly

1 Answers1