XSS (11)

Try It! DOM-Based XSS

Some attacks are "blind". Fortunately, you have the server running here so you will be able to tell if you are successful. Use the route you just found and see if you can use the fact that it reflects a parameter from the route without encoding to execute an internal function in WebGoat. The function you want to execute is …

webgoat.customjs.phoneHome()

Sure, you could just use console/debug to trigger it, but you need to trigger it via a URL in a new tab.

Once you do trigger it, a subsequent response will come to your browser’s console with a random number. Put that random number in below.

Solution

Open a new tab and navigate to the test-route you just figured out in the previous lesson. Your URL should look something like that http://localhost:8080/WebGoat/start.mvc#REPLACE-WITH-THE-TEST-ROUTE/some\_parameters Note how the parameters you send to the test-route get reflected back to the page. Now add your JavaScript to it. You have to use script tags, so your JavaScript code gets executed when being rendered into the DOM. Since you are working with an URL, you might have to URL-encode your parameters. Replace '/' with '%2F' in your URL parameters.

Open the Development Tools in the browser, and go to the Console tab.
Navigate to the URL http://host:port/WebGoat/start.mvc#test/<script>webgoat.customjs.phoneHome()<%2Fscript>.
Retrieve the number in the function output.

PreviousXSS (10)NextXSS (12)

Last updated 3 years ago