Just a DOM-Based XSS

Hey guys, let’s talk about a DOM-Based XSS that I found yesterday.

嘿,伙计们,我们来谈谈我昨天发现的一个基于 dom 的 XSS。

while searching on my target I found a subdomain with a login form and it depends on a JS code to log in and redirect the user after the a valid login.

当我在我的目标上搜索时,我发现了一个带有登录表单的子域,它依赖于一个 JS 代码来登录并在有效登录后重定向用户。

let’s start debugging, first function called (submitCredentials) and it used to pass the username and password to another function

让我们开始调试,第一个函数称为(submitcretials) ,它用于将用户名和密码传递给另一个函数

Second function called (fetchJwt) which check the username and password with an endpoint and if it true and return the JWT for the session it call another function (redirectOnSuccess)  第二个函数叫做(fetchJwt) ,它用一个端点检查用户名和密码,如果为真,并返回会话的 JWT,它调用另一个函数(redirectOnSuccess)

There is a variable we will use 我们将使用一个变量

Third function is getting the value from a paramter called (continue) and redirect the user to it but it use another function (getUrlParameter) and save the value to variable (redirectParam) and redirect the user to it 第三个函数是从一个名为(continue)的参数获取值,并将用户重定向到该参数,但它使用另一个函数(getUrlParameter)并将值保存到变量(redirectParam) ,并将用户重定向到该变量

Fourth function is checking the full URL and parameters using simple RegEx which return values 第四个功能是使用返回值的简单 RegEx 检查完整的 URL 和参数

the above regex will an array with two values like [‘?continue=http://google.com’,’http://google.com’%5D 上面的正则表达式将包含一个数组,其中的值类似于[ ? continue = http://google.com’,’http://google.com’%5D

after all of that we can notice that there is no filtering on the values and the function is redirecting the user to the value, so if we try to write (javascript:alert(0)), we can see in the following screenshot that our payload it will be accepted 在所有这些之后,我们可以注意到,没有对值进行过滤,而且函数会将用户重定向到该值,因此如果我们尝试编写(javascript: alert (0)) ,我们可以在下面的屏幕截图中看到,我们的有效负载将被接受

all the issue here when the application call function (redirectOnSuccess) and our payload should be in the parameter’s value. 当应用程序调用函数(redirectOnSuccess)和有效负载应该位于参数值中时,这里所有的问题都在这里

And that is it. 就是这样