Vulnerable code The getcookie function is used for fetching the cookie values.
384 ◾
Ethical Hacking and Penetration Testing Guide Two variables “Rlo” and “Rm” are now defined, the rlo variable is set to “getcookie(“Rlo”)”
and the same is done with “Rm.” Both now hold the value of cookies and are user-controllable
inputs, but for exploitation. The values of “RLO” and “RM” should not be equal to null, which is
what the “if” clause is checking. Finally, the rlo cookies are written via innerHTML sink.
Now in order to exploit it, we need to find any other XSS in any other subdomain of the
website we are trying to exploit; in this case, it is rediff.com and so we are able to manipulate the
cookies. By using the other XSS, we will set a root domain cookie (which is accessible from all
subdomains). So root domain cookie with XSS vector would do the trick, as getcookie will read
Rlo cookie’s value and execute it under blogs.rediff.com, which is the domain containing the vul-
nerable JavaScript code.
The researcher managed to find a flash-based XSS in a subdomain “imworld.rediff.com.”
POC header('Location: http://imworld.rediff.com/livewirerediff/pix/swfupload.
swf#?movieName="]);}catch(e){}document.cookie="Rm=notnull; domain=.
rediff.com;Path=/;";document.cookie="Rlo=onload=alert(\'XSS\')>;domain=.rediff.com;Path=/;";location="http://
blogs.rediff.com/nonexistentpage";//');
?>
The first part of code sets the cookie values RM to “notnull” and “rlo” to our XSS vector and
then redirects to blogs.rediff.com/nonexistentpage, where we have the vulnerable js code hosted.
This results in a JavaScript execution.
Static JS Analysis to Identify DOM-Based XSS As mentioned before, analyzing JavaScript can be taxing at times, considering you have a million
lines of code to analyze. As manual inspection is not a good option here, static code analyzers can
be used to analyze DOM-based XSS vulnerabilities. Let’s take a look at a static JavaScript analysis
tool called JSPrime introduced by Nishant Das Patnaik.
Web Hacking ◾
385 Jsprime is a static source code analysis tool coded in JavaScript to identify vulnerabilities in
JavaScript itself. Based upon ECMAscript parser, it is capable of not only identifying DOM-based
XSS vulnerabilities in JavaScript but also analyzing JavaScript libraries such as jquery and yui.