2021-03-10 08:33:40 +00:00
|
|
|
id: window-name-domxss
|
|
|
|
|
|
|
|
info:
|
2022-05-13 20:26:43 +00:00
|
|
|
name: window.name - DOM Cross-Site Scripting
|
2021-04-06 06:46:11 +00:00
|
|
|
author: pdteam
|
2021-03-10 08:33:40 +00:00
|
|
|
severity: medium
|
2022-04-22 10:38:41 +00:00
|
|
|
reference:
|
|
|
|
- https://public-firing-range.appspot.com/dom/index.html
|
2021-03-10 08:33:40 +00:00
|
|
|
tags: headless,xss,domxss
|
|
|
|
|
|
|
|
headless:
|
|
|
|
- steps:
|
|
|
|
- action: setheader
|
|
|
|
args:
|
|
|
|
part: response
|
|
|
|
key: Content-Security-Policy
|
|
|
|
value: "default-src * 'unsafe-inline' 'unsafe-eval' data: blob:;"
|
|
|
|
- action: script
|
|
|
|
args:
|
|
|
|
hook: true
|
|
|
|
code: |
|
2022-07-28 11:21:08 +00:00
|
|
|
() => {
|
|
|
|
window.alerts = [];
|
2021-03-10 08:33:40 +00:00
|
|
|
|
2022-07-28 11:21:08 +00:00
|
|
|
logger = found => window.alerts.push(found);
|
2021-03-10 08:33:40 +00:00
|
|
|
|
2022-07-28 11:21:08 +00:00
|
|
|
function getStackTrace() {
|
|
|
|
var stack;
|
|
|
|
try {
|
|
|
|
throw new Error('');
|
|
|
|
}
|
|
|
|
catch (error) {
|
|
|
|
stack = error.stack || '';
|
|
|
|
}
|
|
|
|
stack = stack.split('\n').map(function (line) { return line.trim(); });
|
|
|
|
return stack.splice(stack[0] == 'Error' ? 2 : 1);
|
2021-03-10 08:33:40 +00:00
|
|
|
}
|
2022-07-28 11:21:08 +00:00
|
|
|
window.name = "{{randstr_1}}'\"<>";
|
2021-03-10 08:33:40 +00:00
|
|
|
|
2022-07-28 11:21:08 +00:00
|
|
|
var oldEval = eval;
|
|
|
|
var oldDocumentWrite = document.write;
|
|
|
|
var setter = Object.getOwnPropertyDescriptor(Element.prototype, 'innerHTML').set;
|
|
|
|
Object.defineProperty(Element.prototype, 'innerHTML', {
|
|
|
|
set: function innerHTML_Setter(val) {
|
|
|
|
if (val.includes("{{randstr_1}}'\"<>")) {
|
|
|
|
logger({sink: 'innerHTML', source: 'window.name', code: val, stack: getStackTrace()});
|
|
|
|
}
|
|
|
|
return setter.call(this, val)
|
2021-03-10 08:33:40 +00:00
|
|
|
}
|
2022-07-28 11:21:08 +00:00
|
|
|
});
|
|
|
|
|
|
|
|
eval = function(data) {
|
|
|
|
if (data.includes("{{randstr_1}}'\"<>")) {
|
|
|
|
logger({sink: 'eval' ,source: 'window.name', code: data, stack: getStackTrace()});
|
|
|
|
}
|
|
|
|
return oldEval.apply(this, arguments);
|
|
|
|
};
|
|
|
|
|
|
|
|
document.write = function(data) {
|
|
|
|
if (data.includes("{{randstr_1}}'\"<>")) {
|
|
|
|
logger({sink: 'document.write' ,source: 'window.name', code: data, stack: getStackTrace()});
|
|
|
|
}
|
|
|
|
return oldEval.apply(this, arguments);
|
|
|
|
};
|
|
|
|
}
|
2021-03-10 08:33:40 +00:00
|
|
|
- args:
|
|
|
|
url: "{{BaseURL}}"
|
|
|
|
action: navigate
|
|
|
|
- action: waitload
|
|
|
|
- action: script
|
|
|
|
name: alerts
|
|
|
|
args:
|
2022-07-28 11:21:08 +00:00
|
|
|
code: window.alerts
|
2021-03-10 08:33:40 +00:00
|
|
|
matchers:
|
|
|
|
- type: word
|
|
|
|
part: alerts
|
|
|
|
words:
|
|
|
|
- "sink:"
|
|
|
|
extractors:
|
|
|
|
- type: kval
|
|
|
|
part: alerts
|
|
|
|
kval:
|
|
|
|
- alerts
|