In this walk through, we will be going through the DOM Based Cross Site Scripting vulnerability section from DVWA Labs. We will be exploring and learn about DOM-XSS attacks and what makes an application vulnerable to it. We will start with the security level as Low and will gradually increase the difficulty as we progress further. So, let’s get started with the Hacking without any delay.
Table of Contents
DOM Based Cross Site Scripting Attacks:
DOM based Cross Site Scripting (XSS) is an attack where the application takes malicious input from attacker-controlled source and passes it the document sink that supports dynamic code execution. In short, if an attacker is able to write his input in the application’s DOM (Document Object Model) which is a convention used to represent and work with objects in an HTML document. Then, he will be able to execute XSS payloads on the target and perform various nefarious actions.
Security: Low (XSS – DOM)
- Setting the security to low and PHPIDS as enabled.
- The application has a Choose language functionality and on selecting one of them it sends a GET request to the server to set the default language option selected by the user.
- Let’s try the below payload to execute name of the domain in alert box. If no restrictions has been taken place we will got a pop-up.
localhost/vulnerabilities/xss_d/?default=document.write('... <script>alert(document.domain)</script> ...');
- Upon analyzing the source code found out that the application has no restriction on the input supplied by the user.
- Now let’s use the below payload to get the user’s cookie from his browser as per the task’s objective.
http://localhost/vulnerabilities/xss_d/?default=English&document.write('<script>alert(document.cookie)</script>');
Security: Medium (XSS-DOM)
- Setting the security to low and PHPIDS as enabled.
- The application has a Choose language functionality and on selecting one of them it sends a GET request to the server to set the default language option selected by the user.
- Let’s check if application is still vulnerable to the XSS in medium security and if there is any bypass by using the below payload.
localhost/vulnerabilities/xss_d/?default=English&document.write('... <script>alert(document.domain)</script> ...');
- As we didn’t hit with any error and the application let us run the above payload. I analyzed the application’s source code and found out that this time application is checking if the default parameter is not null and stripping the script tag. However, we were able to bypass this sanitization with our above payload.
- Let’s dump the user’s cookie using the below payload which also bypasses the sanitization done by the application and the PHPIDS.
http://localhost/vulnerabilities/xss_d/?default=English&document.write('<script>alert(document.cookie)</script>');
Security: High (XSS-DOM)
- Setting the security to High and PHPIDS as enabled.
- The application has a Choose language functionality and on selecting one of them it sends a GET request to the server to set the default language option selected by the user.
- I tried the below payload again to check for the DOM-XSS and we got the response as a pop-up.
localhost/vulnerabilities/xss_d/?default=English&document.write('... <script>alert(document.domain)</script> ...');
- I analyzed the application’s source code and it is again checking if the default parameter is not set to null. Along with that there is a switch case statement which uses a whitelist for the allowed languages. However, i was able to bypass it with the above payload as we passed the language along with the payload, hence breaking the application’s logic.
- Let’s dump the user’s cookie using the below payload which also bypasses the sanitization done by the application and the PHPIDS.
http://localhost/vulnerabilities/xss_d/?default=English&document.write('<script>alert(document.cookie)</script>');
Also Read: DVWA – Content Security Policy Bypass (Low/Med/High)
Conclusion:
So, we finally completed all the security levels for the DVWA DOM Based Cross Site Scripting Vulnerability. We looked into the various ways how application has been set up in various levels and how we can bypass the security controls implemented. Next, we can mitigate the potential DOM-XSS attacks by not allowing data from any untrusted source to be dynamically written to the HTML document and by sanitizing the user input. On that note, i will take your leave and will meet you in next one with another DVWA vulnerability writeup, till then “Keep Hacking”.