Friday, December 02, 2011

Double eval() for DOM based XSS


DOM based XSS are becoming relatively common with Web 2.0 and Ajax driven applications. DOM based applications are using eval() method to inject new stream into the existing DOM. In certain cases it is becoming tricky to pass on the values for pen-testing and to create an abuse/exploit scenario. Recently during consulting we came across different DOM based XSS and objective is to get a pop-up to confirm the vulnerability. If we get an eval call then it is possible to double eval-ing to convert text back into payload.

Here is a simple scenario; it can be complicated on case to case basis.
For example, we have following line in the code

eval('getProduct('+ koko.toString()+')');

Here “koko” is coming from URL or controlled by user. Hence, if we pass on the value in following URL it gets to the “getProduct” function.

Testing scenario is simple, it causes DOM based XSS with following condition.

We are passing payload terminating function, ending statement and commenting out rest of the script. We get a simple pop-up if we pass on following code.

But to prove a point if we want to craft any other payload where we need to send single quote, for example want to execute “document.getElementsByName('Login')” will not work since we have that single quote that will raise syntax error. For simplicity if we pass on alert(‘hi’), it will not work and we will not get popup in above scenario.

We get following error in the browser.

Error: syntax error
Source File: http://192.168.3.2/catalog.aspx?pid=3%27);elval(alert(%27hi%27));//
Line: 37, Column: 29
Source Code:
getProduct(3%27);elval(alert(%27hi%27));//)

Interestingly, we can leverage double eval() in this case, we pass on following payload and let’s see what happens…

It will avoid error and we will get a pop-up. What we did was simple, we used fromCharCode function and passed on decimal values for alert(‘hi’) here, first eval will convert it into string and second eval will execute the code. Hence, double eval can rescue while testing DOM based XSS.

Curiously I searched this trick on web if people are using it and came across this article - http://blogs.msdn.com/b/infopath/archive/2006/04/05/569338.aspx
Double eval() can be leveraged for string operations and concatenation.

2 comments:

Jeremy said...

Wouldn't escaping the single tick work too? As in:

http://192.168.3.2/catalog.aspx?pid=3);alert(\'test\');//

shreeraj said...

Nop. It will not work - going through URL browser will not process. It may work through POST params.

Error: illegal character
Source File: http://192.168.3.2/catalog.aspx?pid=2%27);alert(\%27hi\%27)//
Line: 37, Column: 23
Source Code:
getProduct(2%27);alert(\%27hi\%27)//)