WebGoat - DOM Based XSS

Three types of Cross Site Scripting (XSS) Attack:

    Reflected XSS (Non-Persistence)

    Stored XSS (Persistence)

    DOM Based XSS

Reference:

[1] http://www.webappsec.org/projects/articles/071105.shtml

[2] https://www.owasp.org/index.php/DOM_Based_XSS

Stage one solution:

1, Check source code to find javascript or use firebug and choose “Script” and “DOMXSS.js”. We can find the following java script code:

2, As we can see that there is no validation for user’s input. That means we can insert anything as parameter “name”. In this case, we insert:

"<img src="http://192.168.235.134/WebGoat/images/logos/owasp.jpg" />"

3, Then we will get the following result (deface the page with the picture):

Stage two solution:

1, We use image “onerror” event attribute to trigger an alert which is used to show cookie information. In this case, we insert:

"<img src="xxx.gif" onerror="alert(document.cookie)" />"

Where “xxx.gif” is whatever a non-exist image file, which is used to trigger an error event.

3, Then we will get the following result (alert is pop up):

Reference:

[1] http://www.w3schools.com/jsref/event_img_onerror.asp

Stage five (Remedy):

1, Using escapeHTML function defined in “escape.js” to remedy this vulnerability. The escapeHTML function’s content is:

function escapeHTML (str) { var div = document.createElement('div');     // create a new div element var text = document.createTextNode(str);   // create a new text node, put “str” in as text div.appendChild(text); return div.innerHTML; }

2, Modify the DOMXSS.js file to use escapeHTML function.

function displayGreeting(name) { if (name != ''){ document.getElementById("greeting").innerHTML="Hello, " + escapeHTML(name)+ "!"; } }

Reference:
[1] https://developer.mozilla.org/en/document.createElement
[1] https://developer.mozilla.org/en/DOM/document.createTextNode