Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Lab: DOM XSS using web messages

PRACTITIONER

This lab demonstrates a simple web message vulnerability. To solve this lab, use the exploit server to post a message to the target site that causes the print() function to be called.

ACCESS THE LAB

Solution

  1. Notice that the home page contains an addEventListener() call that listens for a web message.

  2. Go to the exploit server and add the following iframe to the body. Remember to add your own lab ID:

    <iframe src="https://YOUR-LAB-ID.web-security-academy.net/" onload="this.contentWindow.postMessage('<img src=1 onerror=print()>','*')">
  3. Store the exploit and deliver it to the victim.

When the iframe loads, the postMessage() method sends a web message to the home page. The event listener, which is intended to serve ads, takes the content of the web message and inserts it into the div with the ID ads. However, in this case it inserts our img tag, which contains an invalid src attribute. This throws an error, which causes the onerror event handler to execute our payload.

Community solutions

Michael Sommer (no audio)

Register for free to track your learning progress

The benefits of working through PortSwigger's Web Security Academy

  • Practise exploiting vulnerabilities on realistic targets.

  • Record your progression from Apprentice to Expert.

  • See where you rank in our Hall of Fame.

Already got an account? Login here

Try Burp Suite for Free

Find DOM-based vulnerabilities using Burp Suite

Try for free