DOM based XSS are becoming relatively common with Web 2.0
and Ajax driven applications. DOM based applications are using eval() method to
inject new stream into the existing DOM. In certain cases it is becoming
tricky to pass on the values for pen-testing and to create an abuse/exploit
scenario. Recently during consulting we came across different DOM based XSS and
objective is to get a pop-up to confirm the vulnerability. If we get an eval
call then it is possible to double eval-ing to convert text back into payload.
Here is a simple scenario; it can be complicated on case to
case basis.
For example, we have following line in the code
eval('getProduct('+
koko.toString()+')');
Here “koko” is coming from URL or controlled by user. Hence,
if we pass on the value in following URL it gets to the “getProduct” function.
Testing scenario is simple, it causes DOM based XSS with
following condition.
We are passing payload terminating function, ending
statement and commenting out rest of the script. We get a simple pop-up if we
pass on following code.
But to prove a point if we want to craft any other payload
where we need to send single quote, for example want to execute “document.getElementsByName('Login')”
will not work since we have that single quote that will raise syntax error. For
simplicity if we pass on alert(‘hi’), it will not work and we will not get
popup in above scenario.
We get following error in the browser.
Error: syntax error
Source File: http://192.168.3.2/catalog.aspx?pid=3%27);elval(alert(%27hi%27));//
Line: 37, Column: 29
Source Code:
getProduct(3%27);elval(alert(%27hi%27));//)
Interestingly, we can leverage double eval() in this case, we
pass on following payload and let’s see what happens…
It will avoid error and we will get a pop-up. What we did
was simple, we used fromCharCode function and passed on decimal values for
alert(‘hi’) here, first eval will convert it into string and second eval will
execute the code. Hence, double eval can rescue while testing DOM based XSS.
Curiously I searched this trick on web if people are using
it and came across this article - http://blogs.msdn.com/b/infopath/archive/2006/04/05/569338.aspx
Double eval() can be leveraged for string operations and concatenation.