Search code examples
javascriptdomevalpenetration-testing

Is this JavaScript injection (DOM-based) real or false positive?

I'm trying to grasp JavaScript DOM-based injection attacks better, so I would appreciate some input on this.

I have this output from Burpsuite as "firm" indicating it should be something here. So the the main page loads a .js file with the code below. Data is read from document.location and passed to eval() via the following statements:

var _9f=document.location.toString();
var _a0=_9f.split("?",2);
var _a1=_a0[1];
var _a2=_a1.split("&");
var sp=_a2[x].split("=");
djConfig[opt]=eval(sp[1]);

If I understand this correctly, it gets the content after '?' in the url, then splits the parameters after '=' and then evals the second array of that. So www.domain.tld?first=nothing&second=payload, is that correct?

Given that it's already inside of a js file, I'd assume I don't need the < script > tags in the payload? I really can't get it to fire anything so I'm doing it wrong obviously. Would appreciated some input to understand this better, not just a code snippet but some explanation would be great.

Solution

  • ...it gets the content after '?' in the url, then splits the parameters after '=' and then evals the second array of that...

    Almost. It gets the part of the string after the first ?, splits that into an array of parameters (by splitting on &), then gets the value of the xth parameter (the one at index x), splits it to get its value, and evals that.

    This means the page executes code entered into it via the query string, which means Mary can give Joe a URL with code in it that will then execute within the page when Joe opens it, which is a potential security risk for Joe.

    Say x is 2. This URL would show an alert: http://example.com/?a=1&b=2&c=alert(42)

    var x = 2;
var _9f="http://example.com/?a=1&b=2&c=alert(42)";
var _a0=_9f.split("?",2);
var _a1=_a0[1];
var _a2=_a1.split("&");
var sp=_a2[x].split("=");
/*djConfig[opt]=*/eval(sp[1]);

    Here's an example on JSBin: https://output.jsbin.com/cibusixeqe?a=1&b=2&c=alert(42)

    How big a risk it is depends on what page this code is in.

    Since the code doesn't use decodeURIComponent there are limits on what the code in the query string can be, though they can probably be worked around...