Login Ajax routine is an interesting
place to check for variable definition and assignments with respect to "single DOM application"/HTML5/Web2.0 framework. If variables are not created with proper scope
then can be accessed as global and contain interesting information like username,
password, tokens etc. Interestingly we need to do lot of JavaScript analysis
with Web 2.0, Ajax, HTML5 and Single DOM applications.
For example, here is a routine for login. It can be buried in
one of the JS files but gets loaded on DOM at the point of call and remain
there throughout application life cycle.
function
getLogin()
{
gb
= gb+1;
var
user = document.frmlogin.txtuser.value;
var
pwd = document.frmlogin.txtpwd.value;
var
xmlhttp=false;
try
{
xmlhttp = new
ActiveXObject("Msxml2.XMLHTTP");
// other code for XHR initialization
}
temp =
"login.do?user="+user+"&pwd="+pwd;
xmlhttp.open("GET",temp,true);
xmlhttp.onreadystatechange=function()
{
//
other code on state ready change
}
xmlhttp.send(null);
}
Here, temp variable is crafting URL and posting username and
password for Ajax call. It can be part of POST if going through send(). “temp” variable
is very loosely defined as global and can be accessed from the DOM.
It is easy to access those variables from DOM – Yes, need
DOM based XSS but coding practice is poor over here. Payload to exploit the
vulnerability…
for(i in window){
obj=window[i];
try{
if(typeof(obj)=="string"){
console.log(i);
console.log(obj.toString());
}
}catch(ex){}
}
You will get “temp” variable with following value - login.do?user=foo&pwd=foobar.