Lab: DOM XSS using web messages and a JavaScript URL

PRACTITIONER

This lab demonstrates a DOM-based redirection vulnerability that is triggered by web messaging. To solve this lab, construct an HTML page on the exploit server that exploits this vulnerability and calls the print() function.

Access the lab

Solution

Notice that the home page contains an addEventListener() call that listens for a web message. The JavaScript contains a flawed indexOf() check that looks for the strings "http:" or "https:" anywhere within the web message. It also contains the sink location.href.
Go to the exploit server and add the following iframe to the body, remembering to replace YOUR-LAB-ID with your lab ID:
<iframe src="https://YOUR-LAB-ID.web-security-academy.net/" onload="this.contentWindow.postMessage('javascript:print()//http:','*')">
Store the exploit and deliver it to the victim.

This script sends a web message containing an arbitrary JavaScript payload, along with the string "http:". The second argument specifies that any targetOrigin is allowed for the web message.

When the iframe loads, the postMessage() method sends the JavaScript payload to the main page. The event listener spots the "http:" string and proceeds to send the payload to the location.href sink, where the print() function is called.

Want to track your progress and have a more personalized learning experience? (It's free!)

In this topic

DOM-based vulnerabilities DOM clobbering

The benefits of working through PortSwigger's Web Security Academy

Practise exploiting vulnerabilities on realistic targets.
Record your progression from Apprentice to Expert.
See where you rank in our Hall of Fame.

Already got an account? Login here

Lab: DOM XSS using web messages and a JavaScript URL

Solution

In this topic

All topics

Find DOM-based vulnerabilities using Burp Suite

Register for free to track your learning progress