Just a DOM-Based XSS


Hey guys, let's talk about a DOM-Based XSS that I found yesterday.

while searching on my target I found a subdomain with a login form and it depends on a JS code to log in and redirect the user after the a valid login.

let's start debugging, first function called (submitCredentials) and it used to pass the username and password to another function


Second function called (fetchJwt) which check the username and password with an endpoint and if it true and return the JWT for the session it call another function (redirectOnSuccess) 


There is a variable we will use


Third function is getting the value from a paramter called (continue) and redirect the user to it but it use another function (getUrlParameter) and save the value to variable (redirectParam) and redirect the user to it


Fourth function is checking the full URL and parameters using simple RegEx which return values


the above regex will an array with two values like ['?continue=http://google.com','http://google.com']


after all of that we can notice that there is no filtering on the values and the function is redirecting the user to the value, so if we try to write (javascript:alert(0)), we can see in the following screenshot that our payload it will be accepted


all the issue here when the application call function (redirectOnSuccess) and our payload should be in the parameter's value.


And that is it.

Comments

Popular posts from this blog

[BlackHatMEA-CTF 2024] cockatoo PWN challenge

[WEB] ASC Wargame CTF 2024 - Challenge Hot Proxy

Lets Analysis STM32F103 Chip Firmware from Attify