Pin It

Kali Linux DOM Based XSS Writeup



Recently, I have been on a mission to find XSS in popular security training websites, Since these are the ones who care about their security the most. I have been successful in finding in almost all of them i have tried up to date, This one was a bit interesting to i thought to write a post on it, Basically it was not a reflected/stored xss, however it was a DOM based XSS, similar to the one i found in Microsoft. Unlike others, this particular XSS occurs in client side javascript.

In order to provide features to the users lots of webmasters/Vendors are moving their code towards client side, the data is embedded in the DOM and before it's reflected back to the user it is not filtered out, which results in a DOM based XSS. The main cause of this vulnerabilities are dangerous Sinks. DOM based XSS wiki is a good source where you would find dangerous sources and sinks.

On checking out the source of kali.org, i immediately found out that i was running wordpress version 3.5.1, The version is the latest version of the wordpress and has no known public vulnerabilities till date, therefore i moved towards testing plugins.


I tested couple of plugins, however did not find any one of them vulnerable, by analyzing the source more deeply i found a pretty interesting plugin "WP-Pretty Photo" which caught my interest. Which is a jquery based lightbox for wordpress platform.


Next i performed a detailed analysis on the prettyphoto.js file, hunting for DOM based XSS. After my analysis i managed to construct a valid payload to trigger the DOM based XSS. You can find my detailed analysis about the prettyphoto.js DOM xss vulnerability here.




POC:

http://www.kali.org/#!%22%3E%3Cimg%20src=1%20onerror=prompt%280%29;%3E//

Some debugging with chrome JS console, led me to the line 79 of the jquery.prettyPhoto.js, the line of code which was responsible for the cause of the DOM Based XSS.

http://www.kali.org/wp-content/themes/persuasion/lib/scripts/prettyphoto/js/jquery.prettyPhoto.js?ver=2.1



It was also obvious from the code that it required us ! sign to successfully execute the javascript.


The input inside the hashrel was not filtered out before it was being displayed to the user, which resulted in the DOM Based XSS.

The Fix

The following url discusses, about the fix:

https://github.com/Duncaen/prettyphoto/commit/3ef0ddfefebbcc6bbe9245f9cea87e26838e9bbc

If, this was not enough for you, then listen to this, Offensive-security team was very awesome in a sense, that they gave me a free voucher for their famous certification PWB 3.0.

 
I was really surprised to see that Dominator was not detecting it which is the only good tool for finding DOM Based XSS leaving IBM javascript scan apart, in past i have tried dominator against various websites suffering from DOM Based XSS and have found that, at some spots it's very good and at some spots it needs much improvement. Here is the screenshot:




I would like that every one would be act the same way i did and responsibly disclose every issue you find.

Subscribe to our Newsletter and receive updates directly via email - Get Ethical hacking and security tips directly to your inbox. Alternatively you can Join our Hackers Community on Facebook , Google+ and Twitter .

At RHA Infosec we provide different types of Security Testing from small business sites to Corporate Sites. Click Here to know more about our complete list of services.

Subscribe to RHA


Enjoyed this article?
Subscribe to "Rafay Hacking Articles" and get daily updates in your inbox for free!


Tags:


Kindly Bookmark it and Share it with Friends:

12 comments :

Anonymous on May 20, 2013 at 7:37 AM said...

So, it's a random XSS in a plugin and actually there are lot of vulnerabilities in wordpress version 3.5.1 and in this case vulnerability is due to plugin (not a vulnerability in wordpress as you said). As it a not much used public, only few websites use it. You will find vulnerabilities like this in every 3rd plugin of wordpress.

Sorry to say this but this article could have ended in 5 lines.

Rafay Baloch on May 20, 2013 at 10:11 AM said...

Thanks for your comment, Answers in lines:

// So, it's a random XSS in a plugin and actually there are lot of vulnerabilities in wordpress version 3.5.1 and in this case vulnerability //

Please, let me know some high risk vulnerabilities in 3.5.1.

//Sorry to say this but this article could have ended in 5 lines. //

Ever read a research or white paper?, It's a single topic and in depth information, The thing here is the target audience, the methodology is important. I was requested by lots of readers, In case if you are not following me on fb, you won't know. I can go on and on, but there is no point to debate, you are entitled to your own opinions.

Anonymous said...

What email to report security vulnerability in offensive security bro?

Aamir Khan on May 21, 2013 at 6:15 AM said...

Nice finding.keep it up!
Hacking Articles

Kamal Khan said...

To be very clear, i understood this post partially. To fully understood this post, what knowledge should i have (JS/CSS/HTML) or which tool should i use..??

Ajin Abraham on May 29, 2013 at 9:16 AM said...

Whoever commented this, I believe is a noob or else jelous on Rafay.
Atleast he spend his time to disclose the bug with details and his methods.This could certainly help a lot of budding web app researchers. These days people are so narrow minded to share knowledge. I would appreciate Rafay's write-up.

Rafay on May 29, 2013 at 1:49 PM said...

Thanks Ajin,

I really appreciate your comment.


PwnDizzle on June 15, 2013 at 6:43 AM said...

Nice find and the PWB course is awesome. It's not easy but well worth the effort.

Rafay Baloch on June 22, 2013 at 2:23 PM said...

@PWNDIZZLE

Yes, that is the reason why i would do it later this year.

Also, it would be a pleasure if you could write a guest post here.

Anonymous said...

Great Work.Keep It Up

Rahul Sharma on November 23, 2013 at 12:11 AM said...

Grt work Rafay Baloch sir :) and thnx for sharing with this method thank you so much and someone jealous from you so ignore him sir just keep it going sir ...:)
Thank You

Anonymous said...

preciso de ajuda em alguns config

Dare to ask? :)

Blog Archive

 

Recent Comments

About

Rafay Baloch is an Independent security researcher, Internet marketer, Entrepreneur and a SEO consultant, He is the founder of RHA blog and multiple other blogs. Rafay got famous after finding a Remote Code Execution bug inside PayPal for which PayPal awarded him a sum of 10,000$ Read More..

Join In!

RHA © 2013. All Rights Reserved.