Welcome back to the Methodology Walkthrough at the Cybersec Cafe. Here’s the biweekly deep dive for your Tuesday morning coffee.

Objective

Construct an HTML page on the Exploit Server that calls the print() function by exploiting the DOM XSS vuln.

What is DOM XSS?

DOM XSS (Document Object Model Cross-Site Scripting) is a vulnerability that occurs when the client-side web page processes untrusted data from user input to modify the DOM in an unsafe way. Unlike traditional XSS, DOM XSS is entirely executed on the client-side, making it more challenging to detect and mitigate. Vulnerabilities can lead to the execution of arbitrary JavaScript in the context of the user’s browser, resulting in malicious activities like stealing information, session hijacking, or delivering further payloads.

Methodology

The Recon

As we do in this series, let’s start by gaining an understanding of what the lab environment looks like and map out the lab.

We have a blog environment with no ability to login, but the ability to comment.

Let’s leave a coment to capture the request.

It seems like that’s all that’s available to us in terms of functionality. Let’s take a look at the SiteMap for any other clues…

Nothing really stands out right away.

But, that’s okay. Since DOM XSS is what we’re searching for, we’ll find what we’re looking for by inspecting the DOM of our target website.

Even though we know this, it’s good to get in the habit of performing the usual recon steps.

Right click on the Home Page and click Inspect.

As we begin to expand the different div tags, we can see there is a script tag that immediately sticks out.

Upon opening the script, we can see there is an addEventListener that listens for a web message.

It looks like we’ve found our attack vector.

Testing

First, let’s examine the code…

window.addEventListener('message', function(e) { var url = e.data; if (url.indexOf('http:') > -1 || url.indexOf('https:') > -1) { location.href = url; } }, false);

Then start to deduce what’s happening.

• It checks to make sure either http: or https: is present.

  • Logically, this should make sense to verify it’s coming from a web location. However, it is not implemented correct as it checks that it’s present anywhere in the string, rather than the beginning.

• The payload contains a sink: location.href

Let’s craft a payload to take advantage.

Exploitation

Navigate to the exploit server.

In order to deliver the payload, we’ll need to craft an iframe:

<iframe src="https://lab-subdomain.web-security-academy.net/"/>

Next, we’ll need a trigger. This can be the onload flag, which will trigger the payload as soon as the iframe loads.

Start with this.contentWindow.postMessage for the onload payload, triggering the postMessage functionality.

Next, we can deliver the print() payload using a javascript tag - javascript:print()

But, we need to add the http: or https: somehwere to circument the logic.

Let’s add one as a comment.

Finally, to put it all together, our payload should look something like:

<iframe src="https://0aac00be043c466681d7c5c800bb006e.web-security-academy.net/" onload="this.contentWindow.postMessage('javascript:print()//http:','*')">

We can deliver the exploit to our victim via the exploit server body.

Lab Solved!

What We’ve Learned

We’ve seen that we can deliver a DOM XSS payload to a victim user through this payload. If there are no protections in place, this could be devastating, allowing the attacker to exploit any Javascript they please. This could be delivered to a victim via a phishing attack, which is one of the most common vectors for cyberattacks - meaning a high probability of the payload getting executed.

Mitigating DOM XSS involves validation and sanitization of user input. Use secure JavaScript libraries and avoid using unsafe methods for manipulating the DOM.

Want to give the lab a try yourself? You can check it out on PortSwigger’s website here.

Securely Yours,

The Cybersec Cafe

Just a heads up, The Cybersec Cafe's got a pretty cool weekly cadence.

Every week, expect to dive into the hacker’s mindset in our Methodology Walkthroughs or explore Deep Dive articles on various cybersecurity topics.

. . .

Oh, and if you want even more content and updates, hop over to Ryan G. Cox on Twitter/X or my Website. Can't wait to keep sharing and learning together!