13) Stored DOM XSS

Locate possible injection points

As usual the first step is to analyse the application, we have a search functionnality so let's search for random string and then open the developer tools and find where the user input is located in the html

and if we look in the debugger source for javascript files we wil find this

so from this we know that the injection will be in the comment field and also we see the protection mechanism (in the escapeHTML() function)

JavaScript replace() function to encode angle brackets. However, when the first argument is a string, the function only replaces the first occurrence. We exploit this vulnerability by simply including an extra set of angle brackets at the beginning of the comment. These angle brackets will be encoded, but any subsequent angle brackets will be unaffected, enabling us to effectively bypass the filter and inject HTML.

Exploit

<><img src=x onerror=alert(1)>

and then the alert will pop up once we are back to the blog

and we have solved the lab