XSS (DOM)
Last updated
Last updated
ObjectiveRun your own JavaScript in another user's browser, use this to steal the cookie of a logged in user.
Low level will not check the requested input, before including it to be used in the output text. Spoiler: /vulnerabilities/xss_d/?default=Englishalert(1).
Let's select the first option i.e. English
and click Submit
.
If we look at the URL, we can see that our input has been set as a URL parameter.
DOM-based XSS vulnerabilities usually arise when JavaScript takes data from an attacker-controllable source, such as the URL, and passes it to a sink that supports dynamic code execution.
Let's change the URL to the following:
The developer has tried to add a simple pattern matching to remove any references to "<script" to disable any JavaScript. Find a way to run JavaScript without using the script tags. Spoiler: You must first break out of the select block then you can add an image with an onerror event: /vulnerabilities/xss_d/?default=English>/option>.
Let's check the source code.
So our input is being stripped of <script
tags.
Let's inspect the code in the web page as well.
We can see that we first need to escape the <select>
tag that we are in.
Once we have done that we can use the img onerror
attribute to trigger an alert.
The developer is now white listing only the allowed languages, you must find a way to run your code without it going to the server. Spoiler: The fragment section of a URL (anything after the # symbol) does not get sent to the server and so cannot be blocked. The bad JavaScript being used to render the page reads the content from it when creating the page. /vulnerabilities/xss_d/?default=English#alert(1).
Let's check the source code first.
In this case we can use the #
character so that our URI is fragmented and it satisfies the checks.