The first step of the payload is to set the location property which is a built-in JavaScript object that represents the URL of the current page, and setting it to a new URL is constructed using a template string that includes the following components...
View the page source and observe that your canary is between the angularJS script. Remember that you are dealing with angularJS sandbox, that means regular attack vectors are not going to work. For being able to deliver a successfull XSS attack you have to bypass the angularJS sandbox.
Try to inject another input to the Website input field. But this time make sure you use single quotes in your input, then observe single quotes has been escaped by backslash.
After landing the home page of the lab instance go to one of the blogposts. Enter a common XSS payload in the comment-box. Fill out the other boxes as you wish.
From the above picture, you can observe that the input you have given in the website labeled field, is directly used in the href value without proper input sanitization. Thanks to that you can inject a paylaoad like the following
The replace() method searches a string for a value or a regular expression. The replace() method returns a new string with the value(s) replaced. Critical point is, replace() method only replaces the given string(s) first occurence.
As the lab dictates you can observe this payload gets blocked. You need to find a valid tag in order to deliver a successfull attack. One way to do this is testing the tags manually one by one or you can choose a better way which is fuzzing the tag names with Burp Intruder.
First we need to search for a valid HTML tag.I assume you know how to do that process(you should have been solved previous labs before than that) but if you are not comfortable about how to do it, you can visit this link.
Write a basic alert script in the box, like the following and click the search button.
Try to inject a usual alert() script such as but it is not going to work. Because website has WAF(Web Application Firewall), so you need to figure out how to bypass it.
From the lab description you can understand all tags are blocked. However, it might be possible to craft custom tags and use it to create a successfull payload.
Submit a random alphanumeric string in the search box. Go to the Burp's HTTP History and send that request to Burp Repeater.Observe that the random string has been reflected inside a quoted attribute.
Here is the real deal, your input is inside the template literals and that means it is possible to inject embedded expressions via using ${} syntax. Also remember that single quotes are just normal characters inside of literals(`), due to that your input is going to work like a charm.
This time, try sending the previous payload by adding single quote to beginning of it. Also know that, this technique is used for breaking out of the string, however your single quote is going to get backslashed-escaped.
After the landing page is loaded, go to searchbox in the website. Submit a random alphanumeric string in the search box. Go to the Burp's HTTP history and send the relevant request to the Burp Repeater.
However, developer who implemented the logic made a huge mistake and forgot to escape the backslash(\) characters itself, so that means you can escape backslash by using another backslash. After that single quote will be used as string terminator and it will caused alert() function to be called.
A canonical URL is the URL of the best representative page from a group of duplicate pages, according to Google. For example, if you have two URLs for the same page (such as example.com? dress=1234 and example.com/dresses/1234 ), Google chooses one as canonical.
However, you cannot use these alternative payloads in this situation because you are not allowed to use white spaces and some characters are literally banned. That s why, in order to filling the white spaces you need to use multi-line comment feature(/***/). It is possible use /***/ statement for both opening and closing a comment line on the same line.
Either open the searchResults.js file from the Sitemap, or after you landed on the home page view the page source and click to searchResults.js link. Examine the javascript code and observe that this.response(response text) passed into the eval() function call.
So it is time to taking the next step which is exploiting the vulnerability. Basically, you can use the fetch API to cause DNS resolving and sending a HTTP request to your exploit server(in this case burp collaborator) for the users who visits the blogpage.
You can also examine the username and password field by going back to blogpost. Now, only thing you need to do is waiting for the user interaction.
In order to deliver a successfull XSS attack, you need to manipulate the scroll action into a field that you control. It is possible to that via creating iframe tags with the onload event handler.
Observe that in the searchbar there is a parameter that called returnPath, keep that in my mind. View the page source and realize jquerys $ selector and attr() function is used in order to receive returnPath parameter.
Remember the information about the inner.HTML sink, according to that modern browsers are not allowing to use script tags and svg tags inside inner.HTML sink. However, it might be possible to use img tag in order to deliver a successfull XSS attack.
Examine the above picture and observe that the query parameter is used in the document.write sink which causes a vulnerability.In this case, it is easy to spot this vulnerability but for some cases manual detection for DOM-Based XSS can be very hard to spot.
Observe that your canary is between the option tags, for that reason you need to escape from the options tags in order to deliver a successfull XSS attack.
Ng-app directive has been used so it is possible to use angular expressions. First of all, you need to determine the version of angularJS inorder to use right payload.