Lesson Plan Title: How to Perform DOM Injection Attack.

 

Concept / Topic To Teach:

How to perform DOM injection attacks.

 

How the attacks works:

Some applications specially the ones that uses AJAX manipulates and updates the DOM directly using JavaScript, DHTML and eval() method.
An attacker may take advantage of that by intercepting the reply and try to inject some javascript commands to exploit his attacks.

 

General Goal(s):

* Your victim is a system that takes an activation key to allow you to use it.
* Your goal should be to try to get to enable the activate button.
* Take some time to see the HTML source in order to understand how the key validation process works.

 

Figure 1 AJAX Security - DOM Injection

 

Solution:

 

AJAX requires XML communication between the browser and the web application. When you view the source of the HTML page, you will notice the usage of XMLHttpRequest:

 

<script>

function validate() {

var keyField = document.getElementById('key');

var url = '/WebGoat/attack?Screen=80&menu=1150&from=ajax&key=' + encodeURIComponent(keyField.value);

if (typeof XMLHttpRequest != 'undefined') {

req = new XMLHttpRequest();

} else if (window.ActiveXObject) {

req = new ActiveXObject('Microsoft.XMLHTTP');

   }

   req.open('GET', url, true);

   req.onreadystatechange = callback;

   req.send(null);

}

function callback() {

    if (req.readyState == 4) {

        if (req.status == 200) {

            var message = req.responseText;

                                     eval(message);

        }}}

</script>

 

The XML response contains JavaScript that will activate the button so that you are able to click on it. This requires you to inject JavaScript to manipulate the Document Object Model of the HTML page in the browser. This requires intercepting the HTTP response in WebScarab!

 

Enter a license key (for example 'a') and intercept the HTTP Request and HTTP Response in WebScarab.

 

Figure 2 HTTP Request

 

Figure 3 HTTP Response

 

Intercept the reply and replace the body with document.forms[0].SUBMIT.disabled = false;

 

Figure 4 Updated HTTP Response

 

The button “Activate!” is now enabled!

 

Figure 5 Activate! Button is enabled

 

Figure 6 Lesson completed

 

Solution by Erwin Geirnaert ZION SECURITY