Try   HackMD

PortSwigger Lab: Reflected DOM XSS

Description

  • This lab demonstrates a reflected DOM vulnerability. Reflected DOM vulnerabilities occur when the server-side application processes data from a request and echoes the data in the response. A script on the page then processes the reflected data in an unsafe way, ultimately writing it to a dangerous sink.
  • To solve this lab, create an injection that calls the alert() function.

Recon

  • Image Not Showing Possible Reasons
    • The image was uploaded to a note which you don't have access to
    • The note which the image was originally uploaded to has been deleted
    Learn More →
  • Đầu tiên, F12 để check xem có điểm nào đáng nghi có thể khai thác XSS được không
  • Image Not Showing Possible Reasons
    • The image was uploaded to a note which you don't have access to
    • The note which the image was originally uploaded to has been deleted
    Learn More →
  • Image Not Showing Possible Reasons
    • The image was uploaded to a note which you don't have access to
    • The note which the image was originally uploaded to has been deleted
    Learn More →
  • Do không nhận thấy bất kì điểm bất thường nào, ta sẽ sử dụng search bar và nhập 1 input bất kì vào để test
  • Tiếp tục check bằng F12, phát hiện sau khi search có xuất hiện của 1 file mới là searchResult.js
    Image Not Showing Possible Reasons
    • The image was uploaded to a note which you don't have access to
    • The note which the image was originally uploaded to has been deleted
    Learn More →
  • Đọc thấy biến searchResultsObj thay vì được khai báo như thông thường là:
var searchResultsObj = this.responseText;
  • Thì ở đây lại sử dụng eval() để thực thi code JavaScript dưới dạng 1 string được truyền vào, vì vậy có thể xác định rằng có thể khai thác XSS thông qua chức năng search của trang web
eval('var searchResultsObj =' + this.responseText);

Exploit

  • Bật BurpSuite để intercept request khi search và gửi đến Burp Repeater

    Image Not Showing Possible Reasons
    • The image was uploaded to a note which you don't have access to
    • The note which the image was originally uploaded to has been deleted
    Learn More →

  • Thử nhập "alert(1), response trả về cho thấy dấu " đã bị escape bởi backslash(\)

    Image Not Showing Possible Reasons
    • The image was uploaded to a note which you don't have access to
    • The note which the image was originally uploaded to has been deleted
    Learn More →

  • Thêm backslash(\) vào đằng trước của payload cũ, response trả về đã escape đc backslash(\) của hệ thống và inject được " vào trong payload

    Image Not Showing Possible Reasons
    • The image was uploaded to a note which you don't have access to
    • The note which the image was originally uploaded to has been deleted
    Learn More →

  • Sau đó chỉnh sửa lại payload cho hoàn chỉnh và sử dụng // để comment out phần còn lại của query, ta có được payload hoàn chỉnh như sau: \"-alert(1)}//

  • Nhập vào trong search bar và chúng ta thành công khai thác lỗ hổng XSS để thực thi alert()

    Image Not Showing Possible Reasons
    • The image was uploaded to a note which you don't have access to
    • The note which the image was originally uploaded to has been deleted
    Learn More →

Last changed by 
Gl0r10us_520999
0
1
169

Read more

Practice_PHP

Your task is to print a palindromic triangle of size .

Jun 8, 2024
African Falls

Q1. What is the MD5 hash value of the suspect disk?#Image file creation log provides this information, check the DiskDrigger.txt you will find various information such as the MD5 hash.

Jun 5, 2024
BlueSky Ransomeware

Mở file BlueSkyRansomware.pcap, vào Statistics->Conversations ta thấy có

May 22, 2024
Reflected XSS with event handlers and href attributes blocked

This lab contains a reflected XSS vulnerability with some whitelisted tags, but all events and anchor href attributes are blocked..

Mar 1, 2024
Read more from Gl0r10us_520999
Published on HackMD