This work is licensed under a Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International License.
a= is taken as a parameter of the body tag, and <a href=" is interpreted as the value of the a parameter.Next, <img src=a onerror=alert(2)> is interpreted, making the alert(2) pop on the screen.
But DOMPurify is only confronted to this payload :
$' a='<a href="'><img src=a onerror=alert(2)>">asd</a>
$' a=' This part is basicaly ignored by DOMPurify parser.
The <a> tag is analyzed, the content of the href is ignored because it’s contained in a string.
-That’s exactly where the javascript execution is placed, with a basic xss payload like <img src=x onerror=alert(1)>.
We were able to get the closing </body tag just before our payload thanks to the $' operator.
This exploit wouldn’t have been possible if the code used a templating engine instead of the replaceAll native JavaScript function.
When we inspect the behavior of the browser with this payload, we can see that every closing tags without an opening tag before are removed.
This work is licensed under a Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International License.
<img src=x onerror=alert(1)>.We were able to get the closing </body tag just before our payload thanks to the $' operator.
This exploit wouldn’t have been possible if the code used a templating engine instead of the replaceAll native JavaScript function.
When we inspect the behavior of the browser with this payload, we can see that every closing tags without an opening tag before are removed.
Link to the presentation I did in french about this subject.
This work is licensed under a Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International License.