12) Reflected DOM XSS
Previous11) DOM XSS in AngularJS expression with angle brackets and double quotes HTML-encodedNext13) Stored DOM XSS
Last updated
Was this helpful?
Last updated
Was this helpful?
As usual the first step is to analyse the application, we have a search functionnality so let's search for random string and then open the developer tools and find where the user input is located in the html
looking at the debugger source shows an interestings javascript code that takes the user input and include it in the DOM
and we see that its using a dangerous sink which is eval
so to find xss we have to exploit the eval function
let's put the website in the scope in burp suite and search for something then go back to burp you will find an interesting endpoint that takes the user input search and returns a json where the results and the term being searched for
so send this request to repeater
now we have to escape the searchTerm to make the eval function execute js code for exemple alert() function
\" => escape the opening double-quotes character
- => An arithmetic operator (in this case the subtraction operator) is then used to separate the expressions before the alert() function is called
}// => a closing curly bracket and two forward slashes close the JSON object early and comment out what would have been the rest of the object
and now use it in the search and hopefully it will trigger an xss
and we have solved the lab
