Friday, 21 March 2014
The worsed part about DOM Based xss apart from it's complexity is the fact that lots of learning references and guides teach developers to code things in an insecure way i.e. in a way that would introduce vulnerabilities automatically. The following screenshot is taken from the jquery learning section of w3schools. The website needs no introduction, it is the most commonly referred websites for beginners to learn various programming language.
How they do it:
Here is an subdomain of paypal financing.paypal.com it is used in attack.
The above will shows an output with 460*80 but when when we change it with the following code then what happened let's see.
Here is the code to put into that domain <svg/onload=prompt(1)>.