This lab demonstrates a DOM-based redirection vulnerability that is triggered by web messaging. To solve this lab, construct an HTML page on the exploit server that exploits this vulnerability and calls the print() function.
web messaging에 의해 발현되는 DOM 취약점을 보여주는 문제이다.
해당 취약점을 활용해서 print() 함수를 호출하는 HTML 페이지를 익스플로잇 서버에 올리라고 한다.
먼저 문제의 블로그 사이트를 탐색해보자.
<홈 화면 코드>
더보기
<!DOCTYPE html>
<html>
<head>
<link href=/resources/labheader/css/academyLabHeader.css rel=stylesheet>
<link href=/resources/css/labsBlog.css rel=stylesheet>
<title>DOM XSS using web messages and a JavaScript URL</title>
</head>
<body>
<script src="/resources/labheader/js/labHeader.js"></script>
<div id="academyLabHeader">
<section class='academyLabBanner'>
<div class=container>
<div class=logo></div>
<div class=title-container>
<h2>DOM XSS using web messages and a JavaScript URL</h2>
<a id='exploit-link' class='button' target='_blank' href='https://exploit-0ac0006104676e4a80a8cf3101350031.exploit-server.net'>Go to exploit server</a>
<a class=link-back href='https://portswigger.net/web-security/dom-based/controlling-the-web-message-source/lab-dom-xss-using-web-messages-and-a-javascript-url'>
Back to lab description
<svg version=1.1 id=Layer_1 xmlns='http://www.w3.org/2000/svg' xmlns:xlink='http://www.w3.org/1999/xlink' x=0px y=0px viewBox='0 0 28 30' enable-background='new 0 0 28 30' xml:space=preserve title=back-arrow>
<g>
<polygon points='1.4,0 0,1.2 12.6,15 0,28.8 1.4,30 15.1,15'></polygon>
<polygon points='14.3,0 12.9,1.2 25.6,15 12.9,28.8 14.3,30 28,15'></polygon>
</g>
</svg>
</a>
</div>
<div class='widgetcontainer-lab-status is-notsolved'>
<span>LAB</span>
<p>Not solved</p>
<span class=lab-status-icon></span>
</div>
</div>
</div>
</section>
</div>
<div theme="blog">
<section class="maincontainer">
<div class="container is-page">
<header class="navigation-header">
<section class="top-links">
<a href=/>Home</a><p>|</p>
</section>
</header>
<header class="notification-header">
</header>
<section class="blog-header">
<img src="/resources/images/blog.svg">
</section>
<script>
window.addEventListener('message', function(e) {
var url = e.data;
if (url.indexOf('http:') > -1 || url.indexOf('https:') > -1) {
location.href = url;
}
}, false);
</script>
<section class="blog-list">
<div class="blog-post">
<a href="/post?postId=6"><img src="/image/blog/posts/34.jpg"></a>
<h2>Scams</h2>
<p>Where there is good there is evil and when it comes to the internet there is surely a scam not lurking too far away. Whether it's being promised thousands from an African prince or being blackmailed by someone claiming to...</p>
<a class="button is-small" href="/post?postId=6">View post</a>
</div>
<div class="blog-post">
<a href="/post?postId=5"><img src="/image/blog/posts/15.jpg"></a>
<h2>Meeting Up</h2>
<p>In the past arranging events, and to meet up with friends and family was easy. The first option for an event was to send out an invitation, in the post, and they would R.S.V.P, sorted. Numbers counted, an event arranged....</p>
<a class="button is-small" href="/post?postId=5">View post</a>
</div>
<div class="blog-post">
<a href="/post?postId=8"><img src="/image/blog/posts/18.jpg"></a>
<h2>Protect Your Smart Home Gadgets From Cyber Attacks</h2>
<p>While we've been sleeping in beds that don't cook breakfast and having to switch the overhead lights on ourselves, some of the more privileged in our communities have been under attack. A home invasion of a different kind. The attacks...</p>
<a class="button is-small" href="/post?postId=8">View post</a>
</div>
<div class="blog-post">
<a href="/post?postId=10"><img src="/image/blog/posts/25.jpg"></a>
<h2>Tracking Your Kids</h2>
<p>It's not Big Brother who's watching you, it's your folks! The first generation of datafied children is hitting the streets. What does this mean? Basically, we know where they are, where they've been and when they were last 'live' on...</p>
<a class="button is-small" href="/post?postId=10">View post</a>
</div>
<div class="blog-post">
<a href="/post?postId=2"><img src="/image/blog/posts/6.jpg"></a>
<h2>Fake News</h2>
<p>Is it just me that finds the way people share things on social media, without checking into them really disturbing? I've started checking things out now, not because I want to share but so I can somehow, politely, let them...</p>
<a class="button is-small" href="/post?postId=2">View post</a>
</div>
<div class="blog-post">
<a href="/post?postId=7"><img src="/image/blog/posts/14.jpg"></a>
<h2>Making The Holidays Special Again</h2>
<p>This time of year I tend to mourn the loss of my little ones, all grown up with no surprises left to give them. Last year I found a way to combat this melancholy, and I thought I'd share what...</p>
<a class="button is-small" href="/post?postId=7">View post</a>
</div>
<div class="blog-post">
<a href="/post?postId=4"><img src="/image/blog/posts/48.jpg"></a>
<h2>Look No Hands - The Game Plays Itself</h2>
<p>I was so fed up with my husband always sitting in front of the television playing his silly games, I did something about it. I came up with an idea that would revolutionize game playing in the future. I wrote...</p>
<a class="button is-small" href="/post?postId=4">View post</a>
</div>
<div class="blog-post">
<a href="/post?postId=3"><img src="/image/blog/posts/4.jpg"></a>
<h2>Cell Phone Free Zones</h2>
<p>There was a time when you could travel by train, smoke cigarettes and chat at the top of your voice. Smoking was banned and up popped quiet carriages, places for those who wish to work on their cells, laptops, and...</p>
<a class="button is-small" href="/post?postId=3">View post</a>
</div>
<div class="blog-post">
<a href="/post?postId=9"><img src="/image/blog/posts/24.jpg"></a>
<h2>The Reverse Bucket List</h2>
<p>I have yet to create a bucket list, mainly because I'm not very adventurous and don't want to do anything that will scare the pants off me. With my weekends wasting away with a huge dose of apathy and only...</p>
<a class="button is-small" href="/post?postId=9">View post</a>
</div>
<div class="blog-post">
<a href="/post?postId=1"><img src="/image/blog/posts/29.jpg"></a>
<h2>Volunteering</h2>
<p>It is perhaps fair to say that volunteering conjures up feelings of helping those in need or taking time out of your own life to give back to society, family or friends. However, what often goes unspoken is that to...</p>
<a class="button is-small" href="/post?postId=1">View post</a>
</div>
</section>
</div>
</section>
<div class="footer-wrapper">
</div>
</div>
</body>
</html>
<글 작성 페이지 코드>
더보기
<!DOCTYPE html>
<html>
<head>
<link href=/resources/labheader/css/academyLabHeader.css rel=stylesheet>
<link href=/resources/css/labsBlog.css rel=stylesheet>
<title>DOM XSS using web messages and a JavaScript URL</title>
</head>
<body>
<script src="/resources/labheader/js/labHeader.js"></script>
<div id="academyLabHeader">
<section class='academyLabBanner is-solved'>
<div class=container>
<div class=logo></div>
<div class=title-container>
<h2>DOM XSS using web messages and a JavaScript URL</h2>
<a class=link-back href='https://portswigger.net/web-security/dom-based/controlling-the-web-message-source/lab-dom-xss-using-web-messages-and-a-javascript-url'>
Back to lab description
<svg version=1.1 id=Layer_1 xmlns='http://www.w3.org/2000/svg' xmlns:xlink='http://www.w3.org/1999/xlink' x=0px y=0px viewBox='0 0 28 30' enable-background='new 0 0 28 30' xml:space=preserve title=back-arrow>
<g>
<polygon points='1.4,0 0,1.2 12.6,15 0,28.8 1.4,30 15.1,15'></polygon>
<polygon points='14.3,0 12.9,1.2 25.6,15 12.9,28.8 14.3,30 28,15'></polygon>
</g>
</svg>
</a>
</div>
<div class='widgetcontainer-lab-status is-solved'>
<span>LAB</span>
<p>Solved</p>
<span class=lab-status-icon></span>
</div>
</div>
</div>
</section>
<section id=notification-labsolved class=notification-labsolved>
<div class=container>
<h4>Congratulations, you solved the lab!</h4>
<div>
<span>
Share your skills!
</span>
<a class=button href='https://twitter.com/intent/tweet?text=I+completed+the+Web+Security+Academy+lab%3a%0aDOM+XSS+using+web+messages+and+a+JavaScript+URL%0a%0a@WebSecAcademy%0a&url=https%3a%2f%2fportswigger.net%2fweb-security%2fdom-based%2fcontrolling-the-web-message-source%2flab-dom-xss-using-web-messages-and-a-javascript-url&related=WebSecAcademy,Burp_Suite'>
<svg xmlns='http://www.w3.org/2000/svg' width=24 height=24 viewBox='0 0 20.44 17.72'>
<title>twitter-button</title>
<path d='M0,15.85c11.51,5.52,18.51-2,18.71-12.24.3-.24,1.73-1.24,1.73-1.24H18.68l1.43-2-2.74,1a4.09,4.09,0,0,0-5-.84c-3.13,1.44-2.13,4.94-2.13,4.94S6.38,6.21,1.76,1c-1.39,1.56,0,5.39.67,5.73C2.18,7,.66,6.4.66,5.9-.07,9.36,3.14,10.54,4,10.72a2.39,2.39,0,0,1-2.18.08c-.09,1.1,2.94,3.33,4.11,3.27A10.18,10.18,0,0,1,0,15.85Z'></path>
</svg>
</a>
<a class=button href='https://www.linkedin.com/sharing/share-offsite?url=https%3a%2f%2fportswigger.net%2fweb-security%2fdom-based%2fcontrolling-the-web-message-source%2flab-dom-xss-using-web-messages-and-a-javascript-url'>
<svg viewBox='0 0 64 64' width='24' xml:space='preserve' xmlns='http://www.w3.org/2000/svg'
<title>linkedin-button</title>
<path d='M2,6v52c0,2.2,1.8,4,4,4h52c2.2,0,4-1.8,4-4V6c0-2.2-1.8-4-4-4H6C3.8,2,2,3.8,2,6z M19.1,52H12V24.4h7.1V52z M15.6,18.9c-2,0-3.6-1.5-3.6-3.4c0-1.9,1.6-3.4,3.6-3.4c2,0,3.6,1.5,3.6,3.4C19.1,17.4,17.5,18.9,15.6,18.9z M52,52h-7.1V38.2 c0-2.9-0.1-4.8-0.4-5.7c-0.3-0.9-0.8-1.5-1.4-2c-0.7-0.5-1.5-0.7-2.4-0.7c-1.2,0-2.3,0.3-3.2,1c-1,0.7-1.6,1.6-2,2.7 c-0.4,1.1-0.5,3.2-0.5,6.2V52h-8.6V24.4h7.1v4.1c2.4-3.1,5.5-4.7,9.2-4.7c1.6,0,3.1,0.3,4.5,0.9c1.3,0.6,2.4,1.3,3.1,2.2 c0.7,0.9,1.2,1.9,1.4,3.1c0.3,1.1,0.4,2.8,0.4,4.9V52z'/>
</svg>
</a>
<a href='https://portswigger.net/web-security/dom-based/controlling-the-web-message-source/lab-dom-xss-using-web-messages-and-a-javascript-url'>
Continue learning
<svg version=1.1 id=Layer_1 xmlns='http://www.w3.org/2000/svg' xmlns:xlink='http://www.w3.org/1999/xlink' x=0px y=0px viewBox='0 0 28 30' enable-background='new 0 0 28 30' xml:space=preserve title=back-arrow>
<g>
<polygon points='1.4,0 0,1.2 12.6,15 0,28.8 1.4,30 15.1,15'></polygon>
<polygon points='14.3,0 12.9,1.2 25.6,15 12.9,28.8 14.3,30 28,15'></polygon>
</g>
</svg>
</a>
</div>
</div>
</section>
</div>
<div theme="blog">
<section class="maincontainer">
<div class="container is-page">
<header class="navigation-header">
<section class="top-links">
<a href=/>Home</a><p>|</p>
</section>
</header>
<header class="notification-header">
</header>
<div class="blog-post">
<img src="/image/blog/posts/29.jpg">
<h1>Volunteering</h1>
<p><span id=blog-author>Kit Kat</span> | 06 July 2024</p>
<hr>
<p>It is perhaps fair to say that volunteering conjures up feelings of helping those in need or taking time out of your own life to give back to society, family or friends. However, what often goes unspoken is that to many, volunteering means unpaid labour. The lines have been blurred in recent years with graduates forced to do endless apprenticeships and internships for 'experience', but many corporations are just using those desperate to work in certain fields for free graft, because grubby students will fall for anything after all.</p>
<p>It feels that there is a certain stigma attached to the word volunteering among some people. As much as we probably hate to admit it, the word doesn't evoke much excitement and truthfully, many people are put off by it. In turbulent times, there is a tend to lean more towards safe guarding our own wellbeing, but whatever the negative connotations, volunteering benefits absolutely everyone involved.</p>
<p>If you're thinking of a new hobby or just dusting off the yoga mat to start up an old one, have a think about whether you'd like to volunteer. The selfless deed of volunteering is the first great reason to be excited about it. Secondly, it has been proven to help people meet new friends, combat anxiety and depression, stimulate your mind and even advance your career. You never know what you're going to get out of volunteering, and the best thing about it is that it's entirely within your own control. You can decide how much or how little you do. In a world where Tinder lets you pick and choose people at break neck speed, maybe taking a step back into real life to make some organic connections is what you're after. Perhaps that nagging voice of wanting to snap at your boss and or children is getting even louder and you want a positive way to release stress, volunteering could be the thing to clear your head.</p>
<p>Volunteering is also an ideal avenue to practice and improve relationship skills, be it personal or professional. You'll discover that regularly meeting with people with similar interests and beliefs will lead to easier conversations about shared interests, or possibly pet peeves depending on your attachment to that person! There is also much to be said about volunteering as a family, showing your kids how rewarding it is to give back to people and a community will improve their mental health and outlook on life. Or, maybe you need to get your partner off the sofa and into something mindfully stimulating more often.</p>
<p>Whatever your reason, there is no negative aspect of volunteering. Use your spare time to improve your life and the lives of others, meet new people and boost your mental health.</p>
<div/>
<hr>
<h1>Comments</h1>
<section class="comment">
<p>
<img src="/resources/images/avatarDefault.svg" class="avatar"> Mo Sez | 09 July 2024
</p>
<p>Me again 'sorry, wrong group.</p>
<p></p>
</section>
<section class="comment">
<p>
<img src="/resources/images/avatarDefault.svg" class="avatar"> Alan Key | 13 July 2024
</p>
<p>The bottom half of my screen is cracked, so I'll just assume the bottom half is as good as the top.</p>
<p></p>
</section>
<section class="comment">
<p>
<img src="/resources/images/avatarDefault.svg" class="avatar"> Mick Mouse | 17 July 2024
</p>
<p>Some man broke into my house while I was reading this and said he's also a fan of your blogs. He'll be able to read them much clearer now he has my iPad.</p>
<p></p>
</section>
<section class="comment">
<p>
<img src="/resources/images/avatarDefault.svg" class="avatar"> Nick O'Bocka | 17 July 2024
</p>
<p>This is really good.</p>
<p></p>
</section>
<section class="comment">
<p>
<img src="/resources/images/avatarDefault.svg" class="avatar"> <a id="author" href="https://www.youtube.com/">sally</a> | 23 July 2024
</p>
<p>great!!!</p>
<p></p>
</section>
<hr>
<section class="add-comment">
<h2>Leave a comment</h2>
<form action="/post/comment" method="POST" enctype="application/x-www-form-urlencoded">
<input required type="hidden" name="csrf" value="XyCQZ5akd7rYEJKs6RThMSHv0ebjdVJb">
<input required type="hidden" name="postId" value="1">
<label>Comment:</label>
<textarea required rows="12" cols="300" name="comment"></textarea>
<label>Name:</label>
<input required type="text" name="name">
<label>Email:</label>
<input required type="email" name="email">
<label>Website:</label>
<input pattern="(http:|https:).+" type="text" name="website">
<button class="button" type="submit">Post Comment</button>
</form>
</section>
<div class="is-linkback">
<a href="/">Back to Blog</a>
</div>
</div>
</section>
<div class="footer-wrapper">
</div>
</div>
</body>
</html>
소스 코드를 보다보니 아래와 같은 흥미로운 스크립트를 발견했다.
<script>
window.addEventListener('message', function(e) {
var url = e.data;
if (url.indexOf('http:') > -1 || url.indexOf('https:') > -1) {
location.href = url;
}
}, false);
</script>
현재 if 문에서 url 문자열에 http: 또는 https: 가 포함되어 있는지를 검사한다.
즉, url.indexOf('http:') > -1 와 url.indexOf('https:') > -1 는 url 문자열에 각각 http 와 https가 포함되어 있으면 true를 반환하도록 하여 해당 단어가 포함된 문자열만 redirect 하도록 하기 위한 것!
여기서 location.href는 브라우저의 주소 표시줄에 표시된 URL을 설정하고, 이를 변경하면 해당 URL로 페이지 이동
그리고 현재 다루고 있는 페이지에서 iframe으로 페이지를 로드할 수 있다면,
애플리케이션으로 나도 임의의 데이터를 전송할 수 있다.
위 iframe 문서 사이트에 따르면 inline 프레임들은 window.frames 배열에 포함되어 있어서, 스크립트는 contentWindow 함수를 통해 프레임화 된 요소의 window 객체에 접근할 수 있게 된다.
따라서 메시지를 보내기 위해 해당 lab application의 window object에 접근하면 된다.
postMessage() 사용 문법에 따르면 postMessage(message, targetOrigin) 이므로, 내가 작성할 페이로드는 targetOrigin이 타겟 도메인이거나, * 를 사용해서 모든 도메인을 대상으로 할 때 'message' 부분을 통해 전송될 것이다.
또한 아까 봤던 코드에서 페이로드에 http: 나 https:가 포함되어 있어야 했는데, 현재 이것이 전송하는 문자열의 맨 앞에 오는 등의 추가 검증에 대한 정보는 존재하지 않는다. 즉, 전송하는 코드의 어느 부분에서라도 http:나 https:가 존재한다면 검증을 통과할 수 있다는 의미이다.
위 내용들을 조합하여 url이 포함된 페이로드를 작성하면 다음과 같다.
<iframe src="URL" onload="contentWindow.postMessage('javascript:print();/*https:*/', '*')"><iframe src="URL" onload="this.contentWindow.postMessage('javascript:print();//https:', '*')">
/*https:*/ 또는 //https: 로 주석처리를 하여 코드에서 규정한 문자열을 포함하여 검증에는 통과하지만, 주석처리를 했기 때문에 실질적으로는 코드 작동에 영향을 끼치지 않게 된다.
'Web Hacking' 카테고리의 다른 글
| [WEB] 네트워크 경유 서버 취약점 및 공격 과정 (0) | 2024.12.02 |
|---|---|
| [WEB] DreamHack Web Hacking 커리 모두 학습 완료!🎉 (0) | 2024.11.16 |
| [WEB] Exploiting DOM clobbering to enable XSS 풀이 (0) | 2024.07.23 |
| [WEB] DOM XSS using web messages 풀이 (0) | 2024.07.21 |
| Burp Suite 버프 스위트 설치 방법 및 초기 설정 (0) | 2024.07.20 |
