From e9c57ef5e6a567aaa8b22986ef7aec1220b261a6 Mon Sep 17 00:00:00 2001 From: xanhacks Date: Wed, 7 Dec 2022 14:47:34 +0100 Subject: [PATCH] add Dom clob 2 --- docs/web/ctf/web_academy.md | 44 +++++++++++++++++++++++++++++++++++++ 1 file changed, 44 insertions(+) diff --git a/docs/web/ctf/web_academy.md b/docs/web/ctf/web_academy.md index bb35ab2..fcf5436 100644 --- a/docs/web/ctf/web_academy.md +++ b/docs/web/ctf/web_academy.md @@ -64,6 +64,50 @@ HTMLCollection(2) [a#defaultAvatar, a#defaultAvatar, defaultAvatar: a#defaultAv The `defaultAvatar` is successfully injected and the XSS is working! +### DOM clobbering to bypass HTMLJanitor + +> Lab: [Clobbering DOM attributes to bypass HTML filters](https://portswigger.net/web-security/dom-based/dom-clobbering/lab-dom-clobbering-attributes-to-bypass-html-filters) + +Snippet of the vulnerable code: + +```js +// Sanitize attributes +for (var a = 0; a < node.attributes.length; a += 1) { + var attr = node.attributes[a]; + + if (shouldRejectAttr(attr, allowedAttrs, node)) { + node.removeAttribute(attr.name); + // Shift the array to continue looping. + a = a - 1; + } +} +``` + +You can use a `form` HTML element to inject the `attributes` attribute of any variables (in our example: `node`). + +```html +
+ +
+ + +