Tuesday, August 9, 2011

WebGoat - DOM Injection

Solution one (trick):
Check the source code and modify the code about the "Active!" button: delete the property "disabled=""" (or change to "disabled="false"")

Solution two (standard):
Check the source code first, then you will find there are two forms in the page, take a note here.

<form method="get" action="attack" style="display: inline;">

<form accept-charset='UNKNOWN' method='POST' name='form' action='attack?Screen=71&menu=400' enctype=''>

go on and you will find the JSP functions:
function validate() {
var keyField = document.getElementById('key');
var url = 'attack?Screen=71&menu=400&from=ajax&key=' + encodeURIComponent(keyField.value);
if (typeof XMLHttpRequest != 'undefined') {
req = new XMLHttpRequest();
} else if (window.ActiveXObject) {
req = new ActiveXObject('Microsoft.XMLHTTP');
}'GET', url, true);
req.onreadystatechange = callback;
function callback() {
if (req.readyState == 4) {
if (req.status == 200) {
var message = req.responseText;
var messageDiv = document.getElementById('MessageDiv');
try {
eval(message);                //Injection point
messageDiv.innerHTML = 'Correct licence Key.'
messageDiv.innerHTML = 'Wrong license key.'

Check the callback function you will find that it called the function eval() with the parameter message received from previous response.
That means:
validate() send a GET request with parameter “key”, then the server operate it and give back a response to function eval() in callback().
Because eval() have the ability to execute the JS statements, here would be an injection point.
So we just run WebScarab (or Burp Proxy), intercept and tamper the response data to "document.forms[1].SUBMIT.disabled = false;" 
(There are two forms in the HTML code and the second one is our target, so the number is 1, which is begin from 0)


No comments:

Post a Comment