DOM XSS in document.write sink using source location.search
- HELLO GUYS WELCOME BACK TO OUR PORTSWIGGER LAB WALKTHROUGH AND TODAY I WILL SOLVE THIS LAB :
DOM XSS in
document.writesink using sourcelocation.search
Q. WHAT IS DOM-BASED XSS ?
DOM-based XSS vulnerabilities usually arise when JavaScript takes data from an attacker-controllable source, such as the URL, and passes it to a sink that supports dynamic code execution, such as
eval()orinnerHTML. This enables attackers to execute malicious JavaScript, which typically allows them to hijack other users' accounts.To deliver a DOM-based XSS attack, you need to place data into a source so that it is propagated to a sink and causes execution of arbitrary JavaScript.
The most common source for DOM XSS is the URL, which is typically accessed with the
window.locationobject. An attacker can construct a link to send a victim to a vulnerable page with a payload in the query string and fragment portions of the URL. In certain circumstances, such as when targeting a 404 page or a website running PHP, the payload can also be placed in the path.
Q. How to test for DOM-based cross-site scripting ?
The majority of DOM XSS vulnerabilities can be found quickly and reliably using Burp Suite’s web vulnerability scanner. To test for DOM-based cross-site scripting manually, you generally need to use a browser with developer tools, such as Chrome. You need to work through each available source in turn, and test each one individually.
Testing HTML sinks
To test for DOM XSS in an HTML sink, place a random alphanumeric string into the source (such as
location.search), then use developer tools to inspect the HTML and find where your string appears. Note that the browser's "View source" option won't work for DOM XSS testing because it doesn't take account of changes that have been performed in the HTML by JavaScript. In Chrome's developer tools, you can useControl+F(orCommand+Fon MacOS) to search the DOM for your string.For each location where your string appears within the DOM, you need to identify the context. Based on this context, you need to refine your input to see how it is processed. For example, if your string appears within a double-quoted attribute then try to inject double quotes in your string to see if you can break out of the attribute.
Note that browsers behave differently with regards to URL-encoding, Chrome, Firefox, and Safari will URL-encode
location.searchandlocation.hash, while IE11 and Microsoft Edge (pre-Chromium) will not URL-encode these sources. If your data gets URL-encoded before being processed, then an XSS attack is unlikely to work.Testing JavaScript execution sinks
Testing JavaScript execution sinks for DOM-based XSS is a little harder. With these sinks, your input doesn’t necessarily appear anywhere within the DOM, so you can’t search for it. Instead you’ll need to use the JavaScript debugger to determine whether and how your input is sent to a sink.
For each potential source, such as
location, you first need to find cases within the page's JavaScript code where the source is being referenced. In Chrome's developer tools, you can useControl+Shift+F(orCommand+Alt+Fon MacOS) to search all the page's JavaScript code for the source.Once you’ve found where the source is being read, you can use the JavaScript debugger to add a break point and follow how the source’s value is used. You might find that the source gets assigned to other variables. If this is the case, you’ll need to use the search function again to track these variables and see if they’re passed to a sink. When you find a sink that is being assigned data that originated from the source, you can use the debugger to inspect the value by hovering over the variable to show its value before it is sent to the sink. Then, as with HTML sinks, you need to refine your input to see if you can deliver a successful XSS attack.
Testing for DOM XSS using DOM Invader
Identifying and exploiting DOM XSS in the wild can be a tedious process, often requiring you to manually trawl through complex, minified JavaScript. If you use Burp’s browser, however, you can take advantage of its built-in DOM Invader extension, which does a lot of the hard work for you.
- NOW LET’S SOLVE THE LAB :
- FIRST OF ALL ACCESS THE LAB AND VISIT THE HOME PAGE AND ON THE SEARCH BOX INPUT SOME HTML PAYLOADS OR CODE TO TEST WHAT’S HAPPENING ?
- HERE IS A USEFUL TIP FOR YOU WHENEVER YOU TEST FOR DOM-BASED XSS DON’T GO TO THE SOURCE CODE PAGE JUST INSPECT THE CODE BY USING BROWSER-WEB-DEV TOOLS BECAUSE WE CAN’T SEE THE CHANGES IN SOURCE CODE WHEREAS IN BROWSER-WEB-DEV WE CAN SEE THE LIVE CHANGES AND IT’S EASIER TO UNDERSTAND AND FIND OUR INPUTS IN IT.
- SO HERE WE CAN SEE THAT THE HTML PAYLOAD GETS REFLECTED TWICE AND WE CAN OBSERVE THAT AT ONE POINT IT GETS ENCODED AND ON ANOTHER IT WAS INSIDE THE IMG TAG <img>.
- SO IF TRY TO BYPASS THE IMG TAG AND MAKE OUR PAYLOAD LIKE THIS :
- “><h1>hello</h1>
- LET’S USE IT AND SEE WHAT HAPPENS ?
- SO HERE OUR PAYLOAD WORKS NOW LET’S USE THIS CONCEPT IN THIS PAYLOAD AND SOLVE THE LAB :
- “><img src=x onerror=alert(location.search)>
- HERE WE SOLVED THE LAB..