In this post, we will be solving the lab: “Stored DOM XSS”.
In this case, the statement tells us that there is a stored DOM XSS vulnerability in the blog’s comment functionality. To solve the lab, we must exploit the vulnerability and execute the alert function.
That said, the first thing to do is access the lab:
Once we’re in, we can see that there are different articles. In this case, we’re going to view the first one:
When accessing an article, we can see that there is a comments section:
In this case, we will simply fill it in with random data and publish a comment:
Once published, we return to the article to see our comment:
It has been published without any issues.
If we investigate the source code and the different dependencies (JS files) a bit, we can find the following JavaScript file, called loadComments.js:
The file, among other things, has a function that replaces the > and < symbols, HTML encoding them when loading comments.
This is where the flaw is, it’s using the replace method for substitution. This method only replaces the first occurrence it finds. For example, if I have the word “patata” and I use the replace function to substitute the ‘a’s with an ‘e’, the result of implementing this method on the word “patata” will give as a result: “petata”.
Reference on how the replace() method works in JavaScript
So, taking this behavior into account, we can create a typical XSS payload, but placing <> at the beginning so that these are what the script replaces and not the symbols used in the malicious code:
This way, when publishing the comment and returning to the post:
We manage to execute the JavaScript code we had put in, in this case, the alert.
This way, we manage to solve the lab:
