Kali Linux DOM Based XSS Writeup
In order to provide features to the users lots of webmasters/Vendors are moving their code towards client side, the data is embedded in the DOM and before it's reflected back to the user it is not filtered out, which results in a DOM based XSS. The main cause of this vulnerabilities are dangerous Sinks. DOM based XSS wiki is a good source where you would find dangerous sources and sinks.
On checking out the source of kali.org, i immediately found out that i was running wordpress version 3.5.1, The version is the latest version of the wordpress and has no known public vulnerabilities till date, therefore i moved towards testing plugins.
I tested couple of plugins, however did not find any one of them vulnerable, by analyzing the source more deeply i found a pretty interesting plugin "WP-Pretty Photo" which caught my interest. Which is a jquery based lightbox for wordpress platform.
Next i performed a detailed analysis on the prettyphoto.js file, hunting for DOM based XSS. After my analysis i managed to construct a valid payload to trigger the DOM based XSS. You can find my detailed analysis about the prettyphoto.js DOM xss vulnerability here.
Some debugging with chrome JS console, led me to the line 79 of the jquery.prettyPhoto.js, the line of code which was responsible for the cause of the DOM Based XSS.
The input inside the hashrel was not filtered out before it was being displayed to the user, which resulted in the DOM Based XSS.
The following url discusses, about the fix:
If, this was not enough for you, then listen to this, Offensive-security team was very awesome in a sense, that they gave me a free voucher for their famous certification PWB 3.0.
I would like that every one would be act the same way i did and responsibly disclose every issue you find.