DOM XSS

1 minute read

Brief Description

After doing some extensive recon in a wide scope target and checking alive web servers one by one, there was web server that had lots of endpoints and things to play with, therefore, after taking a look at one of the redirect pages, it seems to allow redirect by allowing user-controlled source manipulation which was scalable to DOM XSS.

Reconnaissance Steps

After taking a look to my BurpSuite history, there was a page that allowed redirects that displayed the following response.

picture

It seemed like by using the redir parameter, users are allowed to be redirected which proved to be vulnerable to Open Redirect, but by using something such as javascript:alert(document.domain) it allowed XSS. The input was not being reflected in the HTTP response, and by Synack standards for DOM XSS, SRTs should be able to explain the root cause of the flaw to be considered for acceptance.

Therefore, by using DOM Invader, it was possible to find the flaw where by inserting the payload javascript:console.log(synack) it can show the log in DOM invader

picture

As you can see, the payload seems to be executed in line 88. So, looking at the source code proceeding to go to line 88 where it will show where the message is being generated wherein line 87 we can see that the parameter is passed as a URL in form link: url in the Eloqua form query according to the comments in line 86.

picture

Then, in line 116 under function get_query()the variable url is being triggered by defining it with the attacker-controlled source location.href which leads to executing the payload when performing redirect as the following:

https://ca.domain.vi/redirect?redir=javascript:alert(document.domain)

picture

After finding the root cause and sending the report, the vulnerability got accepted with three stars in the report due to report writing.

Takeaways

As zseano’s methodology mentions , it’s important to map the web application and take a look at different kinds of functionalities. If you find an open redirect, might be scalable to XSS, and if it’s not reflecting on the DOM, it can be a DOM XSS which Synack tends to reward more for such flaws.

Updated:

Leave a comment