DOM based XSS¶
What is DOM?¶
- Based on this link and this portswigger link will explain what HTML sink is.
DOM XSS in document.write sink using source location.search¶
Enumeration¶
Step 1: Randomly type a string to get a search result
Step 2: go to inspect source and we find the script responsible for the 'aaaa'
we find that there is a document.write()
|
Vulnerability Assessment¶
-
From the highlighted statement above, we know that the
queryis the entry point for injection. Hence we will need to craft a payload and do a search based on where query is. -
The goal of this lab is to issue an
alert()statement hence we will simply edit the payload accordingly to"><svg onload=alert(1)>which will result in the query below :
document.write('<img src="/resources/images/tracker.gif?searchTerms='+"><svg onload=alert(1)>+'">');
- What happened here is that a svg (scalable vector graphic) is created at runtime and loaded beside
img srcwhich was closed. Upon loading,alert()function will be called.
DOM XSS in innerHTML sink using source location.search¶
Enumeration¶
Step 1: Randomly type a string to get a search result
Step 2: Inspect Page source to see what is the script behind it.
Vulnerability Assessment¶
- From this linkwe understand how
innerHTMLXSS works. - The goal of this lab is to issue an
alert()statement thus our payload will be as such :<img src=1 onerror=alert('1')>which will make the statement look like :document.getElementById('searchMessage').innerHTML = `<img src=1 onerror=alert('1')>`;
- XSS is executed, as there is no such image and hence on error, the alert box will be executed.
DOM XSS in jQuery anchor href attribute sink using location.search source¶
Enumeration¶
- URL before submission
- There is input sanitization.
- There is response when sending feedback.
- The url when feedback is submitted
- Probable vulnerable jQuery
Vulnerability Assessment¶
- We can attempt to test the vulnerability based on how this link does it.
- Payload used :
?returnPath=javascript:alert('1') - After the payload is sent, we will need to click
Backfor thealert()to show.
Exploitation¶
- The objective of this lab is make the "back" link alert
document.cookie. - Change the payload to :
javascript:alert(document.cookie)
DOM XSS in jQuery selector sink using a hashchange event¶
- The URL hash is everything that follows the pound sign (#) in the URL. The
hashchangeevent activates when the URL hash changes from one to another.
Example of
hashchange: From:url.com/#headerTo:url.com/#footer
-
This lab contains a DOM-based cross-site scripting vulnerability on the home page. It uses jQuery's
$()selector function to auto-scroll to a given post, whose title is passed via thelocation.hashproperty. -
To solve the lab, deliver an exploit to the victim that calls the
print()function in their browser.
Enumeration¶
- From the inspect page source, we can see the vulnerable jQuery function.
- We can see that when there is a
hashchange, it will call afunction()which will check if the hash component contains values the are part of the<h2>heading in the list below. If it exists, it will scroll to the post.
Vulnerability Assessment¶
- To exploit this, we can intercept the response and modify this function to trigger something when there is a
hashchange.
- From above, we can added
console.log('test function'); - As we can see below,
test functionis called when hash changes fromIdentittoIdent.
- Another means where we can deliver the exploit is through the URI. When hashchange occurs, the value of the hash that changed is parsed into
decodeURIComponent. Hence we can deliver the exploit through the URI. - We can test this out by appending the payload
<img src=1 onerror=alert('1')> - which will result in the jQuery
- As can be seen above, an alert popped up.
Exploitation¶
- However, there is a problem. The payload above will not work directly on a victim's browser as to the victim, there is no change in hash. Hence we will need to invoke a
hashchangefor it to work. Additionally, we will also need to call theprint()function. - Since the input is a HTML string, we can make use of the
iframeHTML tag which embeds another document. - The idea is to use the
iframeto load the webpage with one hash and in the same frame load the URL with the payload thus invoking ahashchange. - Payload to use will be :
As can be seen below, the
<iframe src="https://0a3f000403f29a80c05636c400ae007e.web-security-academy.net/#1234" onload="this.src = this.src + '<img src=a onerror=print()>'"/>iframeis invoked andprint()function is called.