The curious case of domain: Quirky XSS

3 years ago 193
BOOK THIS SPACE FOR AD
ARTICLE AD

I was trying out for some XSS payloads and found a quirk that might help in shortening payloads :)

SecurityGOAT

So I was just trying out some XSS payloads to see if I can come up with an interesting post for today — something that was new or not much known before. So I kept looking and looking and looking and finally found something!

Let’s talk about that quirk-ish thing now :)

I don’t know what’s the exact reason behind this thing but happy to get inputs on that.

Image Credits: SecurityGOAT (That’s me ;)

Here’s the TL;DR version for the impatient :)

While performing XSS, alert(domain) works for some tags but for some tags it doesn’t and therefore you need alert(document.domain) there…

And the tags for which alert(domain) worked was:

a, button, details, image, img, input, textarea, svg

Maybe there are more… I tested manually so maybe I missed some. I will write some script to do the automated checks by tomorrow and write a post on that experience as well ;)

All of these seemed to be interactive elements and thus I am assuming that for all the interactive elements somehow the domain part is bound to the element reference (this).

Feel free to correct me if I am wrong, but the assumption seems sane enough.

So for the patient souls, here’s the full story:

I was checking out some XSS payloads, and found 1 that looked interesting. In essence it was just using alert(domain) in the onerror event handler for an SVG element.

I always thought that the domain element is not the part of the window and thus cannot be accessed directly and that’s why this observation was quite interesting. Especially because now I can omit the document and use domain directly, if I ever had to and maybe design some shorter XSS payloads for fun :)

But I was not sure why this is happening, searched online but I didn’t found any fruitful results.

Then I set out to find out all the other HTML tags that might support this thing. So I copied all the HTML elements from the Cross-Site Scripting Cheatsheet by @PortSwigger and created a page containing different elements and tried to check which ones had domain defined (without using document).

And the results were that alert(domain) worked for these tags:

a, button, details, image, img, input, textarea, svg

I was trying out for some XSS payloads and found a quirk that might help in shortening payloads :)

So I was just trying out some XSS payloads to see if I can come up with an interesting post for today — something that was new or not much known before. So I kept looking and looking and looking and finally found something!

Let’s talk about that quirk-ish thing now :)

I don’t know what’s the exact reason behind this thing but happy to get inputs on that.

Image Credits: SecurityGOAT (That’s me ;)

Here’s the TL;DR version for the impatient :)

While performing XSS, alert(domain) works for some tags but for some tags it doesn’t and therefore you need alert(document.domain) there…

And the tags for which alert(domain) worked was:

a, button, details, image, img, input, textarea, svg

Maybe there are more… I tested manually so maybe I missed some. I will write some script to do the automated checks by tomorrow and write a post on that experience as well ;)

All of these seemed to be interactive elements and thus I am assuming that for all the interactive elements somehow the domain part is bound to the element reference (this).

Feel free to correct me if I am wrong, but the assumption seems sane enough.

Again, as I already mentioned I am not really sure what’s the true reason for this and would be happy to understand more. Would probably ask around on Twitter to get some answers :)

I hope this post was informative and helped to inspire some of you to push the infosec boundaries more and helped you learn something interesting!

In case you enjoyed it, please share it among your friends in the infosec community :)

Let me know your feedback in the comments below and feel free to connect on twitter: @RuntimeSecurity

You can also send any interesting topics you wish to learn over Twitter and I will make quality posts on those topics.

Lastly, if you have been enjoying my work and would love to support me, consider checking my Patreon page or you can even Buy Me a Coffee :)

See ya!
Until next time my friend, keep learning and happy hacking.

Read Entire Article