Kali Linux DOM Based XSS Writeup

2013-05-20

Rafay Baloch

http://www.rafayhackingarticles.net/2013/05/kali-linux-dom-based-xss-writeup.html?m=1

Recently, I have been on a mission to find XSS in popular security training websites, Since these are the ones who care about their security the most. I have been successful in finding in almost all of them i have tried up to date, This one was a bit interesting to i thought to write a post on it, Basically it was not a reflected/stored xss, however it was a DOM based XSS, similar to the one i found in Microsoft. Unlike others, this particular XSS occurs in client side javascript.

In order to provide features to the users lots of webmasters/Vendors are moving their code towards client side, the data is embedded in the DOM and before it's reflected back to the user it is not filtered out, which results in a DOM based XSS. The main cause of this vulnerabilities are dangerous Sinks. DOM based XSS wiki is a good source where you would find dangerous sources and sinks.

On checking out the source of kali.org, i immediately found out that i was running wordpress version 3.5.1, The version is the latest version of the wordpress and has no known public vulnerabilities till date, therefore i moved towards testing plugins.

I tested couple of plugins, however did not find any one of them vulnerable, by analyzing the source more deeply i found a pretty interesting plugin "WP-Pretty Photo" which caught my interest. Which is a jquery based lightbox for wordpress platform.


While, searching for common vulnerabilities for wp-prettyphoto plugin i found that it was vulnerable to DOM Based XSS. So, i quickly added my payload to the url and bamn it triggered an XSS.

POC:

http://www.kali.org/#!%22%3E%3Cimg%20src=1%20onerror=prompt%280%29;%3E//
[...]


main page ATTRITION feedback