The curious case of domain: Quirky XSS demystified
I think I found the answer to the domain working in some event handlers! Thanks to terjanq & @SecurityMB for helping me figure this out :)
In my last post, I discussed on a quirk (or maybe expected) behaviour about event handers that I was not quite aware of!
So I thought I found an interesting vector to make my XSS payloads shorter :)
You can read more on that here:
I was quite interested to know about the potential reasons behind that and turns out that there is indeed a reason for this. (Alteast the reason convinced me but I am happy to discuss more on it).
The Questions
While trying some XSS payloads, I stumbled upon a payload that used alert(domain) instead of alert(document.domain) and that looked quite interesting to me. So I thought to find more on it and see why that worked.
I tried all the HTML tags from XSS Cheatsheet by Portswigger and tried to see if I can get alert(domain) working in the event handlers for the tags, and I did found a few tags for which alert(domain) did worked. (I didn’t took event handlers into consideration initially because that would have made the combination of tags and attributes to try out way too big and later I forgot to account for them… which was a huge mistake ofcourse!)
So with my limited tests on the tags with a selected event handler, onfocus & onerror, I tried to get the thing to work for all the tags. But it didn’t worked on all tags, so that made me believe that only a few tags support this thing, which was quite interesting — maybe I found weird behaviour of HTML tags? As in — do some tags have domain bound to this. Well, with the knowledge that I had and the results that I got, I thought it might be the case.
But I was not very sure and wanted to confirm it, so I asked around on Twitter and I turned up to Michal, Terjanq and Gareth because I knew they would have the answers for sure, which was indeed the case :)
The Answers
Turns out, I was wrong — the observation that I made didn’t took into consideration all the event attributes and thus the assumptions I made were wrong! But it makes me happy that I now know the correct answers, thanks to Terjanq and Michal Bentkwoski!
So Michal gave a great answer where he also mentioned on how the inline event handlers executes the code:
Brilliant insights! That made me more curious on where he found this information, so even I can check out that source for maybe more such insights. I thought it must be HTML spec, so I looked for this but didn’t found anything along these lines in the event handlers section. Maybe I am wrong and its there in the spec? Maybe… Anyhow I would read the spec to know about more quirks in HTML!
Terjanq also helped me out and provided an answer:
The important point is:
My bet is that global handlers pass global object (which would make sense)
And turns out, he was correct — atleast that’s what I found in my quick tests. Happy to know more if you have the answers. Until then I think this one seems sensible to me so I will stick to it for now :)
Btw I didn’t believed this right away just because Terjanq says so. I still verified it, and I initially thought this was wrong:
But I was missing a point, which Terjanq helped to clarify:
Turns out that some event handlers have different meaning when specified on the body element!
Again, that shows how valuable the specs are! You get to know a lot of quirks from there. And I think the spec is a goldmine which definitely contains a lot more answers to the questions I have. And even a lot of questions that I haven’t thought of! So I will definitely read it.
Closing Thoughts
So turns out that my last assumption was totally wrong and today I got to know the actual answers — thanks to Michal and Terjanq for sharing their insights with me :)
I would like to say that if you want to understand things more deeply, then specs might be the best place to learn from (ofcourse you should know the basics, because specs are not meant to be tutorials on the subject, atleast HTML spec is not, and neither is GraphQL spec which I have fully read!)
I hope this post was informative and helped to inspire some of you to tinker with things more and helped you learn something interesting!
In case you enjoyed it, please share it among your friends in the infosec community :)
Let me know your feedback in the comments below and feel free to connect on twitter: @_SecurityGOAT
You can also send any interesting topics you wish to learn over Twitter and I will make quality posts on those topics.
Lastly, if you have been enjoying my work and would love to support me, consider checking my Patreon page or you can even Buy Me a Coffee :)
See ya!
Until next time my friend, keep learning and happy hacking.
