How to Use Dominator to discover DOM-based XSS vulnerabilities on Nokia Official Website

How to Use Dominator to discover DOM-based XSS vulnerabilities on Nokia Official Website

Background

DOM-based XSS (Cross-Site Scripting) vulnerabilities are generally difficult to find. In this article, the author uses Dominator to discover and use dom xss on the Nokia (Nokia) OVI website, this reminds me of the Second Brother's artifact :)

Brief Introduction

Resources in the DIV are all specified through location. hash. The author ran it with Dominator and found the following results:

The following figure shows a controllable point: location. hash and the resource is loaded through XMLHR. open. open the address in chrome and the console output is as follows:

 

Reload the following URL:
 

Http://store.ovi.com/#/jasminder

Dominator displays the following information:

If the author wants to see if the resources of a third-party website can be loaded, he loads the location of location. hash on his website and initiates a request. The result is as follows:

The actual request is as follows. The request is not sent to the author's website.

Http://store.ovi.com/jasminderapalsingh.info? Fragment = 1

However, the author later found that if the following request is initiated in chrome:

Http://store.ovi.com/#/~jasminderapalsingh.info

The browser initiates the following request:

This method can be used to initiate a request to a third-party host and load the data of the third-party host. In this way, the author places payload on his website. The final implementation result is as follows: