Exploiting DOM-Based XSS Vulnerabilities

Goal

In this lab, you will get hands-on experience on how to identify and exploit a rudimentary DOM-Based XSS vulnerability. The objective of this lab is to outline how the DOM (Document Object Model) works in relation to JavaScript and how DOM-Based XSS vulnerabilities can be identified and exploited.

Pre-requisites

1. Basic familiarity with Linux terminal commands.

2. Basic familiarity with Burp Suite or OWASP ZAP.

3. Basic familiarity with JavaScript.

Requirements

This lab does not have any requirements.

Solution

Step 1: Open the lab link to access the Kali GUI instance

Step 2: Access the web application

After launching the lab, you will be provided with access to a pre-configured Kali Linux system and will be greeted with the target web application already opened in a Firefox window as shown in the screenshot below.

Step 3: Analyzing the functionality of the web app

In order to identify and exploit DOM-Based XSS vulnerabilities, we first need to have an understanding of how the web application works.

Analyzing the web application reveals that it is a simple arithmetic calculator that allows users to parse arithmetic operations as a value of the statement parameter within the URL, after which, the result of the arithmetic calculation is displayed/rendered on the webpage as an integer.

Modifying the arithmetic operation in the URL confirms this, for example, we can perform the operation 10+40 and as shown in the screenshot below, the result of the arithmetic calculation (50) is displayed on the webpage.

This is very interesting, we are also able to perform advanced arithmetic operations that involve multiplication, division etc.

Based on how the web app works, what is most notable is how the result of the arithmetic operation is rendered on the webpage. Because the result of the arithmetic operation is dynamic based on values provided, the webpage needs to be able to render the value dynamically. This indicates that the DOM is being used in conjunction with JavaScript to render the value of an element, attribute or text dynamically on the webpage.

We can learn more about how the web app works and interacts with the DOM by analyzing the page source.

As shown in the screenshot below, the JavaScript code responsible for calculating and dynamically displaying the result of the arithmetic operation via the DOM splits the URL and parses the value of the statement parameter to the JavaScript eval() function for evaluation/calculation.

The JavaScript eval() function is typically used by developers to evaluate JavaScript code, however, in this case, it has been improperly implemented to evaluate/perform the arithmetic operation specified by the user.

NOTE: The **eval() function should never be used to execute JavaScript code in the form of a string as it can be leveraged by attackers to perform arbitrary code execution.**

Given the improper implementation of the eval() function, we can inject our XSS payload as a value of the statement parameter and forces the eval() function to execute the JavaScript payload.

Step 4: Exploiting DOM-Based XSS Vulnerabilities

Now that we have identified an input in the web application and have and understanding of how the value of the statement parameter is evaluated and rendered, we can test the web app for DOM-Based XSS vulnerabilities by injecting our XSS payload as a value of the statement parameter in the URL.

As shown in the following screenshot, the XSS alert payload is parsed and executed successfully.

We can also leverage this vulnerability to obtain useful information like Cookies, this can be done through the use of the following XSS payload:

Payload:

As shown in the following screenshot, injecting the aforementioned payload will result in an alert box displaying the cookie (if any) for your current session on the site.

Conclusion

In this lab, we explored how the DOM is used in conjunction with JavaScript to modify how webpages work and how they are rendered. We also took a look at how to identify and exploit DOM-Based XSS vulnerabilities in web applications manually.