Simple DOM based XSS Trick

Hello hackers, c0ff33b34n here to teach you an easy DOM based XSS trick.

What is DOM based XSS??

DOM Based XSS is an XSS attack wherein the attack payload is executed as a result of modifying the DOM environment in the victim’s browser used by the original client side script, so that the client side code runs in an “unexpected” manner. That is, the page itself does not change, but the client side code contained in the page executes differently due to the malicious modifications that have occurred in the DOM environment.

Here we are going to look at Keycloak <=8.0 — Cross-Site Scripting.

Title: Keycloak <=8.0 — Cross-Site Scripting

Description: Keycloak 8.0 and prior contains a cross-site scripting vulnerability. An attacker can execute arbitrary script and thus steal cookie-based authentication credentials and launch other attacks.

How to Find and Exploit!?

Vulnerable point: /auth/realms/master/clients-registrations/openid-connect

Doing the same thing again and again is boring as that, so lets automate it!! Open the terminal and let’s find some DOM XSS.

Step 1: Find Subdomains

Step 2: Filter out the live ones.

Step 3: Test for DOM based XSS mentioned in our scenario. We have a template in nuclei repository to make our work easy. Let’s use that to save our time and effort.

subfinder -d target.com | httpx | nuclei -t vulnerabilities/other/keycloak-xss.yaml

Step 4: Manual exploitation.

Fire up Burp suite >> Capture the vulnerable end-point >> Send to repeater >> Change the request to POST >> add payload in DOM environment >> Check the response in browser >> Observe the pop-up.

Payload: {“<img onerror=confirm(‘XSS’) src/>”:1}

Request in Burp

Response in Burp

XSS Found

Step 5: Done!!

Any doubts!?

Feel free to talk! ❤