XSS (10)

Identify potential for DOM-Based XSS

DOM-Based XSS can usually be found by looking for the route configurations in the client-side code. Look for a route that takes inputs that are being "reflected" to the page.

For this example, you will want to look for some 'test' code in the route handlers (WebGoat uses backbone as its primary JavaScript library). Sometimes, test code gets left in production (and often times test code is very simple and lacks security or any quality controls!).

Your objective is to find the route and exploit it. First though … what is the base route? As an example, look at the URL for this lesson … it should look something like /WebGoat/start.mvc#lesson/CrossSiteScripting.lesson/9. The 'base route' in this case is: start.mvc#lesson/ The CrossSiteScripting.lesson/9 after that are parameters that are processed by the JavaScript route handler.

So, what is the route for the test code that stayed in the app during production? To answer this question, you have to check the JavaScript source.

Solution

To search through the client side code, use the developer tools of your browser. (If you don't know how to use them, check the Developer Tools Lesson in the general category.) Since you are looking for application code, check the WebGoat/js/goatApp folder for a file that could handle the routes. Make sure you add the base route at the start, when submitting your solution. Still did not find it? Check the GoatRouter.js file. It should be pretty easy to determine.

Open the Development Tools in the browser, and go to the Debugger tab.
Locate the goatApp/View/GoatRouter.js file and open it.
Look for routes to find 'test/:param': 'testRoute'.
The expected answer is then start.mvc#test/.

PreviousXSS (7)NextXSS (11)

Last updated 3 years ago