This lab demonstrates a DOM-based redirection vulnerability that is triggered by web messaging. To solve this lab, construct an HTML page on the exploit server that exploits the vulnerability and alerts
Notice that the home page contains an
indexOfcheck that looks for the strings
"https:"anywhere within the web message. It also contains the sink
Go to the exploit server and add the following
iframeto the body, remembering to replace
your-lab-idwith your lab ID:
- Store the exploit and deliver it to the victim.
alert() payload, along with the string
"http:". The second argument specifies that any
targetOrigin is allowed for the web message.
iframe loads, the
"http:" string and proceeds to send the payload to the
location.href sink, where the
alert() function is called in the context of the client's session.