“DOM XSS JSON.parse web messages” — sample uses <img> sink, so url: "javascript:..." won’t execute #8
Description
Hi!
The section “DOM XSS JSON.parse web messages” claims the load-channel message lets you steal cookies via a javascript: URL. However, the sample creates an and assigns ACMEplayer.element.src = d.url. An
never executes JavaScript, so the payload in the guide doesn’t work with this code.
Affected snippet (current guide)
var img = document.createElement('img'), ACMEplayer = {element: img}; ... case "load-channel": ACMEplayer.element.src = d.url; // <img>.src — not an executing sink
Why it fails
JSON.parse is not a sink, and img.src = "javascript:..." (or data:) does not execute JS in modern browsers. DOM Invader won’t flag DOM-XSS here because nothing reaches an executing sink.
What the Burp lab uses (vulnerable pattern)
<script> window.addEventListener('message', function(e) { var iframe = document.createElement('iframe'), ACMEplayer = {element: iframe}, d; document.body.appendChild(iframe); try { d = JSON.parse(e.data); } catch(e) { return; } switch(d.type) { case "page-load": ACMEplayer.element.scrollIntoView(); break; case "load-channel": ACMEplayer.element.src = d.url; break; // <iframe>.src — executes javascript:/data: case "player-height-changed": ACMEplayer.element.style.width = d.width + "px"; ACMEplayer.element.style.height = d.height + "px"; break; } }, false); </script>
With an <iframe> sink, the payload shown in the section is applicable and leads to DOM-XSS. With the current sink, it does not.
Request
Please either switch the example to the iframe-based version (as in the Burp lab) or clarify that the sample is not exploitable via url: "javascript:..." and therefore does not demonstrate DOM-XSS.
P.S. Because of that problem I failed exam because I found the same JSON.parse(e.data) script in the source code and tried to unsuccessfully exploit it during 2 hours.
P.P.S. Maybe I am incorrect in my massage, in such case please contact to me and explain how it can be exploitable