Try It! DOM-Based XSS

Some attacks are "blind". Fortunately, you have the server running here so you will be able to tell if you are successful. Use the route you just found and see if you can use the fact that it reflects a parameter from the route without encoding to execute an internal function in WebGoat. The function you want to execute is …​

webgoat.customjs.phoneHome()

Sure, you could just use console/debug to trigger it, but you need to trigger it via a URL in a new tab.

Once you do trigger it, a subsequent response will come to your browser’s console with a random number. Put that random number in below.

Solution

• Hint: Open a new tab and navigate to the test-route you just figured out in the previous lesson. Your URL should look something like this:

http://localhost:8080/WebGoat/start.mvc#REPLACE-WITH-THE-TEST-ROUTE/some\_parameters

= http://localhost:8080/WebGoat/start.mvc#test/<script>webgoat.customjs.phoneHome()<%2Fscript>.

• The script tags are used so that our JavaScript code gets executed when being rendered into the DOM.

• Once you navigate into the URL, your screen will show:

• Open your console, and see the phonehome invoked:

• Copy the number and paste it in the answer to lab: