In this post, we’re going to be solving the lab: “Reflected DOM XSS”:
In this case, we’re told that the server processes request data and displays the response data. Subsequently, a page script processes the reflected data in an insecure way. To solve the lab, we must execute the alert function.
That said, the first thing to do is access the lab:
Once accessed, we can observe a form that allows us to search the blog. To better analyze the behavior of this functionality, we open Burp Suite and activate the proxy in the browser:
With this done, we try to perform any search:
When we click Search, the request shown above is generated. There isn’t much information, and since the statement spoils that the vulnerability is in an insecure script, we can assume that the first search request doesn’t have much to it, so we simply send it.
When we send the first search request, if we keep Burp Suite’s intercept on, we’ll intercept the following request:
This looks like it was generated by the frontend of the resource requested in the first request (/?search=test). To better analyze its response, we send it to the repeater:
The server returns a response in JSON format, where at the bottom we can observe the search term we entered.
We can try to escape from the JSON context in this case, for example, try to inject an alert:
In the response, we can observe that apparently we can inject and escape from the JSON without problems, since there’s no sanitization whatsoever, so using the payload above, we place it in the request we left in the proxy and send it:
This way, we successfully obtain an XSS and solve the lab:
