Stored DOM XSS

Description

This lab demonstrates a stored DOM vulnerability in the blog comment functionality. To solve this lab, exploit this vulnerability to call the alert() function.

Approach

After accessing the lab, I navigated to the comment section and posted a comment while intercepting all the requests using Burp Suite. During this process, I noticed a call to an external JavaScript file:

GET /resources/js/loadCommentsWithVulnerableEscapeHtml.js HTTP/2
Host: 0ac000e9032ba55c804e9ef300d400a8.web-security-academy.net
Cookie: session=kaw8wO2TsGxZ986MdpVejixuEbjBCQ4V
...

This script contained an interesting function designed to escape the < and > characters:

function escapeHTML(html) {
        return html.replace('<', '&lt;').replace('>', '&gt;');
    }

Problem with escapeHTML:

  • The replace method with a string as the first argument only replaces the first occurrence of the specified substring.

  • Therefore, in the string <><test ichyaboy>, only the first < and > are replaced, resulting in &lt;&gt;<test ichyaboy>.

To exploit this vulnerability, I can bypass the filter by placing <> at the beginning of my payload, allowing the rest of my payload to remain unescaped. Here's the payload I crafted:

<><img src=1 onerror=select(2)>

By injecting this payload into the author or comment section, the payload bypasses the escapeHTML function because it only escapes the first < and >. When the comment is displayed later, the unescaped portion of the payload triggers the XSS. With the alert box popping up, it indicates that the XSS was successfully executed, and the lab is solved.

PreviousReflected DOM XSSNextCSP Bypass