DOM XSS Using Web Messages (Practioner) — Portswigger Lab 1 | Solution and Approach
Portswigger's DOM-Based Vulnerability Lab 1 Approach and Explanation by Karthikeyan Nagaraj
1. What is the DOM?
The Document Object Model (DOM) is a web browser’s hierarchical representation of the elements on the page.
Websites can use JavaScript to manipulate the nodes and objects of the DOM, as well as their properties. DOM manipulation in itself is not a problem. In fact, it is an integral part of how modern websites work. However, JavaScript that handles data insecurely can enable various attacks.
DOM-based vulnerabilities arise
when a website contains JavaScriptthat
takesan
attacker-controllable value, known as a
source, and
passesit
into
a
dangerous
function,known as a
sink.2. What is DOM-based cross-site scripting (XSS)?
DOM-based XSS vulnerabilities usually arise when JavaScript takes data from an attacker-controllable source, such as the URL, and passes it to a
sinkthat supports
dynamic code execution, such as
eval()or innerHTML
3. How to Exploit DOM-Based XSS
The most common source for DOM XSS is the
URL, which is typically accessed with the
window.locationobject.
An attacker can construct a link to send a victim to a vulnerable page with a payload in the query string and fragment portions of the URL
.In some cases targeting a
404 page or a website running PHP, the payload can also be placed in the path.
Lab: DOM XSS using web messages
Description of Lab:
This lab demonstrates a simple web message vulnerability.
To 'solve this lab, use the exploit server to post a message to
the target site that causes the print() function to be called.
- Notice the Source Code of the Lab
We Have Found a Script that Contains an addEventListener()
call that listens for the Message
2. Store the below Payload in the Exploit Server's Body and click Deliver it to the Victim. Make sure to add your LAB ID in the below Payload
<iframe src="https://YOUR-LAB-ID.web-security-academy.net/"
onload="this.contentWindow.postMessage('<img src=1 onerror=print()>','*')">
- The
postMessage()
in Payload sends a Message to theEventListener()
in Home Page when the<iframe>
is loaded. - It inserts it into
div
with the IDads
- This will insert our
img
tag, which contains an invalidsrc
attribute. This throws an error, which causes theonerror
event handler to execute our payloadprint()
which Solves the Lab.
Thank you for Reading!!
Happy Hunting ~
Author : Karthikeyan nagaraj ~ Cyberw1ng
portswigger , lab , xss , bug bounty , dom xss , dom based xss ,