DOM Based Cross Site Scripting (XSS) Vulnerability

-
DOM based cross site scripting (XSS) is similar to both reflected and stored XSS. That is, they can be discovered and exploited similarly. The main difference  is simply that DOM based XSS attacks occur entirely on the client side, meaning the payload is never sent to the server. The benefit to these types of attacks is that there are no logs, filters, and there is no server side protection to prevent them.

 According to OWASP, DOM based XSS "is an XSS attack wherein the attack payload is executed as a result of modifying the DOM “environment” in the victim’s browser used by the original client side script, so that the client side code runs in an “unexpected” manner. That is, the page itself (the HTTP response that is) does not change, but the client side code contained in the page executes differently due to the malicious modifications that have occurred in the DOM environment" (https://www.owasp.org/index.php/DOM_Based_XSS).

 For this lab, the only tool used was a simple web browser and a free application used specifically for DOM based XSS practice (https://xss-doc.appspot.com/demo/3#1). The JavaScript running on this application never actually sends any code to a server as the images are already loaded on the page itself. 

To begin, navigate to the site.


Right click on the image and inspect the code. The inspect tool should be open while you click on each image to see how the JavaScipt is actually responsible for loading the images.




To start, I tried to manipulate the URL by simply adding my name.


The site is looking for adam.jpg - a file that does not exist. What I did here was simply add a single quote at the end of  adam.jpg and used the onerror method found on the OWASP cheat cheat. I appended this entire script to the end of the URL.


Once the URL was crafted, I simply refreshed the page, and voilĂ !

Comments

Post a Comment

Popular posts from this blog

Exploiting Local File Inclusion to Gain Shell Access

-
Image
This exploit is aimed at exploiting local file inclusions. The ability to exploit this occurs when a web application uses a path to a file “has to be included as an input without treating it as untrusted input. This would allow a local file to be supplied to the include statement” ( https://www.acunetix.com/blog/articles/local-file-inclusion-lfi/ ). Before running through this exploit, let’s first define what local file inclusion (LFI) is. According to Ian Muscat, LFI “refers to an inclusion attack through which an attacker can trick the web application in including files on the web server by exploiting functionality that dynamically includes local files or scripts. The consequence of a successful LFI attack includes Directory Traversal and Information Disclosure as well as Remote Code Execution” (Muscat, 2017). With this working definition, let's get started running through how I conducted this exploitation. As always, I used Kali Linux as my attacker machine ( https://www....
Read more

Master Port List

-
TCP  0  Reserved TCP  1  Port Service Multiplexer TCP  2  Management Utility TCP  3  Compression Process TCP  4  Unassigned TCP  5  Remote Job Entry TCP  6  Unassigned TCP  7  Echo TCP  8  Unassigned TCP  9  Discard TCP  10  Unassigned TCP  11  Active Users TCP  12  Unassigned TCP  13  Daytime (RFC 867) TCP  14  Unassigned TCP  15  Unassigned [was netstat] TCP  16  Unassigned TCP  17  Quote of the Day TCP  18  Message Send Protocol TCP  19  Character Generator TCP  20  File Transfer [Default Data] TCP  21  File Transfer [Control] TCP  22  SSH Remote Login Protocol TCP  23  Telnet TCP  24  any private mail system TCP  25  Simple Mail Transfer TCP  26  Unassigned TCP  27  NSW User System FE TCP  28  Unas...
Read more

Exploiting File Upload Vulnerabilities with DVWA

-
Image
This exercise explores vulnerabilities associated with file uploads. The target machine was the Damn Vulnerable Web Application (DVWA) found at http://www.dvwa.co.uk/ however, this web application came preinstalled with Metasploitable 2 found at https://information.rapid7.com/metasploitable-download.html . DVWA, according to its website, “is a PHP/MySQL web application that is damn vulnerable. Its main goals are to be an aid for security professionals to test their skills and tools in a legal environment, help web developers better understand the processes of securing web applications and aid teachers/students to teach/learn web application security in a classroom environment” ( http://www.dvwa.co.uk/ ). Metasploitable “is virtual machine based on Linux that contains several intentional vulnerabilities for you to exploit. Metasploitable is essentially a penetration testing lab in a box, available as a VMware virtual machine (VMX),” ( https://information.rapid7.com/metasploitabl...
Read more