Name is required.
Email address is required.
Invalid email address
Answer is required.
Exceeding max length of 5KB

DOM-based XSS

The Me Jun 07, 2019 09:36AM UTC

Hey, I've got an dynamic analysis from one of request intercepted thru burp proxy:
"Data is read from input.value and passed to jQuery.
The source element has name form_type.
The following value was injected into the source:
company

The previous value reached the sink as:
.jq-change-form[value="pu2smtu1t2%2527%2522`'"/pu2smtu1t2/><pu2smtu1t2/\>v35wawh6yy&"]

The stack trace at the source was:
at Object.UPGTj (<anonymous>:1:406183) at Object.tPCmp (<anonymous>:1:882309) at HTMLInputElement.get (<anonymous>:1:886853) at HTMLInputElement.get [as value] (<anonymous>:1:1059386) at e.fn.init.val (https://test01.firm-dev.com/js/main_lib/jquery-1.11.0.min.1559890976.js:4:9114) at HTMLDocument.<anonymous> (https://test01.firm-dev.com/js/history/address_form.1559890976.js:92:109) at j (https://test01.firm-dev.com/js/main_lib/jquery-1.11.0.min.1559890976.js:2:27136) at Object.fireWith [as resolveWith] (https://test01.firm-dev.com/js/main_lib/jquery-1.11.0.min.1559890976.js:2:27949) at Function.ready (https://test01.firm-dev.com/js/main_lib/jquery-1.11.0.min.1559890976.js:2:29783) at HTMLDocument.K (https://test01.firm-dev.com/js/main_lib/jquery-1.11.0.min.1559890976.js:2:30128)

The stack trace at the sink was:
at Object.rzeQd (<anonymous>:1:1299326) at Object.efryG (<anonymous>:1:1313524) at Object.apply (<anonymous>:1:1319855) at changeFormType (https://test01.firm-dev.com/js/history/address_form.1559890976.js:113:5) at HTMLDocument.<anonymous> (https://test01.firm-dev.com/js/history/address_form.1559890976.js:92:5) at j (https://test01.firm-dev.com/js/main_lib/jquery-1.11.0.min.1559890976.js:2:27136) at Object.fireWith [as resolveWith] (https://test01.firm-dev.com/js/main_lib/jquery-1.11.0.min.1559890976.js:2:27949) at Function.ready (https://test01.firm-dev.com/js/main_lib/jquery-1.11.0.min.1559890976.js:2:29783) at HTMLDocument.K (https://test01.firm-dev.com/js/main_lib/jquery-1.11.0.min.1559890976.js:2:30128)

This was triggered by a DOMContentLoaded event."

where from I understand that the place where 'company' is placed is vulnerable place for my payload and ".jq-change-form[value="pu2smtu1t2%2527%2522`'"/pu2smtu1t2/><pu2smtu1t2/\>v35wawh6yy&"]" is the function where payload is processed - right?
So I need an API endpoint, method and proper request to application server to check that vulnerability, are my assumption right?


Liam Tai-Hogan Jun 10, 2019 12:29PM UTC Support Center agent

You need to find a way to manipulate the source element (form_type). Are you able to do this using the method you’ve described?


Post Your public answer

Your name
Your email address
Answer