4 - DOM XSS - JA Smith

# Intro - DOM XSS is completely processed on the client-side through JavaScript - DOM XSS occurs when JavaScript is used to change the page source through the `Document Object Model (DOM)` - IMPORTANTLY: When we see that the input parameter in the URL is using a hashtag `#` for the item we added (as opposed to a `?` for other parameters, this means that this is a client-side parameter that is completely processed on the browser - Also, if we look at the page source by hitting [`CTRL+U`], we will notice that our `test` string is nowhere to be found - This is because the JavaScript code is updating the page when we click the `Add` button, which is after the page source is retrieved by our browser, hence the base page source will not show our input, and if we refresh the page, it will not be retained (i.e. `Non-Persistent`) # How DOM XSS Works: Source & Sink - To further understand the nature of the DOM-based XSS vulnerability, we must understand the concept of the `Source` and `Sink` of the object displayed on the page - The `Source` is the JavaScript object that takes the user input, and it can be any input parameter like a URL parameter or an input field, as we saw above - The `Sink` is the function that writes the user input to a DOM Object on the page - If a `Sink` function writes the exact input without any sanitization (like the below functions), and no other means of sanitization were used, then we know that the page should be vulnerable to XSS - Some of the commonly used JavaScript functions to write to DOM objects are: - `document.write()` - `DOM.innerHTML` - `DOM.outerHTML` - Some of the `jQuery` library functions that write to DOM objects are: - `add()` - `after()` - `append()` # DOM Attacks - Assuming the alert payload that we previously used does not work because the `innerHTML` JS function in the page source does not allow the use of the `<script>` tags within it as a security feature, we can try the below payload without `<script>` tags ```html <img src="" onerror=alert(window.origin)> ``` - The above line creates a new HTML image object, which has a `onerror` attribute that can execute JavaScript code when the image is not found. So, as we provided an empty image link (`""`), our code should always get executed without having to use `<script>` tags![[images/Pasted image 20251212203418.png]] # Exercise - try empty image src payload ```html <img src="" onerror=alert(window.origin)> ``` ![[images/Pasted image 20251212203825.png]] - try to leak cookie ```html <img src="" onerror=alert(document.cookie)> ``` ![[images/Pasted image 20251212203916.png]] ![[images/Pasted image 20251212203937.png]]