Cross-site scripting 4 (APPRENTICE)

Lab 6 - DOM XSS in innerHTML sink using source location.search

This lab contains a DOM-based cross-site scripting vulnerability in the search blog functionality. It uses an innerHTML assignment, which changes the HTML contents of a div element, using data from location.search. To solve this lab, perform a cross-site scripting attack that calls the alert function.

Solution

1.Step 1: You need to click the orange button that says "Access the Lab" on the home page.

2. Step 2: Next, a web page containing a search bar will appear then you should enter some random words into the search bar, such as z3nsh3ll (it's just an example). You can see it from the image below this. After that click search and right-click, then select "Inspect". As you can see, the script is as follows:

function doSearchQuery(query) { document.getElementById('searchMessage').innerHTML = query; } var query = (new URLSearchParams(window.location.search)).get('search'); if (query) { doSearchQuery(query); }

From this script, it can be concluded that the input from the URL (location.search) is directly inserted into innerHTML without filtering, and this is a vulnerability susceptible to DOM XSS.

3. Step 3: In the search bar on the webpage, enter the payload . Once you've done that, click the search button, and the URL will automatically change to https://0a70004004e0f5bb82b17ef3008f00d3.web-security-academy.net/?search=. However, this payload fails to trigger an alert because the browser's security rules block the execution of the , even though the script tag is already present in the DOM when inspected (as shown in the image).

That is why we must replace the previous payload by using the onerror event handler: . Then click search, and the URL will change to https://0a70004004e0f5bb82b17ef3008f00d3.web-security-academy.net/?search=<img+src%3D'0'+onerror%3D'alert()'>

This payload works because the src='0' part (which is intentionally incorrect so the image fails to load) triggers the 'onerror' event, and the onerror='alert()' code is executed by the browser, ultimately displaying an alert popup. https://0a70004004e0f5bb82b17ef3008f00d3.web-security-academy.net/?search=

<picture> <source media="(max-width: 768px)" srcset="/img/700/1*GpPGl4STGGOoeR80vGRQww.png 1x"> <source media="(min-width: 769px)" srcset="/img/2000/1*GpPGl4STGGOoeR80vGRQww.png 1x"> <img src="/img/700/1*GpPGl4STGGOoeR80vGRQww.png" alt="None" width="1920" height="891" loading="lazy" data-zoom-src="/img/4000/1*GpPGl4STGGOoeR80vGRQww.png" class="prose-image" data-caption="<strong>Inject XSS Payload</strong>"/> </picture>

4. Step 4: After the XSS payload is injected into the URL, the browser displays a pop-up alert, proving that the script was successfully executed. As seen in the image under the "Inspect" tab, the payload has been rendered (the payload, which was originally just a text string, was successfully converted by the browser into an active HTML element, it is also capable of executing event handlers such as "onerror").

If you want to know, an event handler is like a function that is automatically called when something happens to an HTML element in the format "on + event name", essentially, "onerror" is a command that says, "when an error occurs, do this." In the case of XSS, the attacker intentionally triggers this error so that the malicious code within the "onerror" handler is executed by the browser.

5. Step 5: Click OK on the pop-up alert, and the screen will change to display the message "Congratulations, you solved the lab!," and the lab's status will also change to "solved."