Vulnerability Type: DOM-based Cross-Site Scripting (XSS)
Attack Vector
The vulnerable application dynamically writes user-controlled input from `location.search` (URL parameters) into the DOM using `document.write`, without proper sanitization. This allows an attacker to inject arbitrary JavaScript by breaking out of the HTML context.
Exploitation Steps
- Identify the Sink and Source:
- The search query (e.g., `?search=test`) is reflected in the page’s DOM via `document.write`.
- Inspect the element to observe the input embedded unsafely inside an `img` tag: <img src=”/resources/images/tracker.gif?searchTerm=USER_INPUT”>
- Craft Malicious Payload:
- Break out of the `src` attribute and inject an SVG with an `onload` handler: “><svg onload=alert(1)>
- Trigger the Exploit:
- Enter the payload into the search box. The resulting URL will look like: https://vulnerable-site.com/?search=”><svg onload=alert(1)>
- The `document.write` sinks the payload into the DOM, creating: <img src=”/resources/images/tracker.gif?searchTerm=”><svg onload=alert(1)>”>
- Confirmation:
- The `svg` element’s `onload` event fires, executing `alert(1)` and confirming DOM XSS.
Mitigation Strategies
- Avoid `document.write`:Replace `document.write` with safer DOM manipulation methods (e.g., `textContent`, `innerText`).
- Input Sanitization: Sanitize URL parameters before embedding them in the DOM (e.g., encode `”`, `<`, `>`).
- Content Security Policy (CSP): Restrict unsafe inline scripts and `eval()` to limit XSS impact.
- Use Trusted Libraries: Leverage libraries like DOMPurify to sanitize HTML dynamically.
Key Takeaway
This lab highlights the dangers of unsafely embedding user input into the DOM via `document.write`. Unlike server-side XSS, DOM XSS occurs entirely client-side, making it harder to detect with traditional scanners.
