Injecting to OWASP Juice shop doesn't work

Question

I've just learned the theory behind XSS attacks and now I would like to test my knowledge in a legal way.

I wanted to "hack" OWASP Juice shop by following steps from this book section "Perform a reflected XSS attack". When I use iframe src="javascript:alert(1)"> as a XSS payload it works as expected (I get alert 1). But when I change it to <script>alert(1)</script> nothing happens, no alert is displayed.

I checked using Chrome Developer tools that payload was injected to the DOM but for some reason script was not executed. Do you have any idea why? Any idea how can I inject more sophisticated payload to OWASP Juice shop?

Where in the app did you attempt this? – securityOrange Dec 16 '18 at 04:39 — securityOrange, Dec 16 '18 at 04:39

EdOverflow · Accepted Answer · 2018-12-16T14:52:51.563

I went ahead and tried to determine what endpoint in the OWASP Juice Shop application you are injecting your payload into. Please correct me if I am wrong, but it appears that the payload is injected via the search field.

This appears to be DOM-based XSS and not reflected XSS. This is important to note since the payload is passed on to the innerHTML method:

<div *ngIf="searchValue"><span>{{"TITLE_SEARCH_RESULTS" | translate}} - 
</span> <span [innerHTML]="searchValue"></span></div>

<script>alert(1)</script> does not execute when injected via innerHTML as stated here:

script elements inserted using innerHTML do not execute when they are inserted.

Instead, I would recommend using payloads such as <iframe src=javascript:alert(1)> and <img src=x onerror=alert(1)>.

Actually, I tried to hack "Track Order" feature but @EdOverflows answer explains also its behaviour. — Paweł Adamski, Dec 16 '18 at 21:53

score 0 · Answer 2 · answered Dec 16 '18 at 04:42

0

It sounds like the browser’s XSS filter is catching the script. This is a common defense mechanism, but there are still ways around it (like loading a script from an iframe!).

I’d recommend you do some research on XSS filters and evading them in order to understand what’s going on here a bit better. OWASP’s XSS filter evasion cheat sheet is a really good place to start.

answered Dec 16 '18 at 04:42

securityOrange

913
4
12

The screenshot provided in the question indicates that Paweł Adamski is using Google Chrome. Chrome's auditor highlights payloads that it detects, so in this case it is not the auditor preventing the payload from firing. On top of that, this is DOM-based XSS and not reflected XSS, which "bypasses" the auditor by design. – EdOverflow Dec 16 '18 at 12:52
I agree with you, I think my answer is wrong. Editing to correct. Thanks Ed! – securityOrange Dec 16 '18 at 15:49

score 0 · Answer 3 · answered Dec 16 '18 at 12:35

Hymmm, I don't know how you exactly want to perform this attack but I think that you can try to inject this script in different manner. Instead of putting raw js script you can use jsfuck.com which will translate your java script into the same code but using only certain charterers like [, etc... It might help because it would not be treated by browser as js code because it will look like garbage in input but it actually will execute. I hope it will help you.

Paweł Adamski is injecting `` into HTML context. JSF*ck won't execute in HTML context. — EdOverflow, Dec 16 '18 at 12:48

Injecting alert("1") to OWASP Juice shop doesn't work

3 Answers3

Injecting to OWASP Juice shop doesn't work