There’s no denying the role that JavaScript has played inwards making spider web applications the sleek, interactive, online experiences that nosotros know in addition to dear today. This powerful scripting linguistic communication brought interactivity in addition to animation to the web. But amongst corking mightiness comes corking responsibility. Cross-site-scripting (XSS) remains a persistent stalwart amid the OWASP Top 10. Malicious JavaScript code hidden inwards the DOM is all it takes to compromise a user’s information in addition to avoid conventional, server-side centered cross-site-scripting (XSS) scanning techniques.
What is DOM-based XSS?
The Document Object Model (DOM) lets spider web developers dictate through HTML source code how a user’s spider web browser should display a spider web page. DOM-based XSS attacks try to exploit the DOM inwards a uncomplicated 2 footstep process:
- Create a Source: Inject a malicious script into a holding constitute to last suceptible to DOM-based XSS attacks. Common injection vectors include document.url, document.location, in addition to document.referrer objects.
- Exploit the Sink: H5N1 sink is the indicate inwards the information catamenia where the browser volition execute the malicious JavaScript code hidden inwards the DOM. Common sinks include document.write, setTimeout, in addition to setInterval.
For a typical illustration of how a DOM-based XSS assault is executed, it’s suggested that you lot read DOM XSS: An Explanationof DOM-based Cross-Site Scripting.
DOM-based Cross-site Scripting
DOM-based Cross-site Scripting (from instantly on called DOM XSS) is a real item variant of the Cross-site Scripting household unit of measurement in addition to inwards spider web application evolution is to a greater extent than oft than non considered the amalgamation of the following:
- The Document Object Model (DOM) – Acting equally a measure way to stand upwardly for HTML objects (i.e. <div></div>) inwards a hierarchical manner.
- Cross-site Scripting (XSS) – H5N1 specific Web Application vulnerability.
Wherein DOM XSS uses the DOM to exploit XSS past times relying on the insecure treatment of user input on a static or dynamic HTML page. This is peculiarly mutual when applications leverage mutual JavaScript business office calls such as:
document.baseURI
To create to a greater extent than or less component division of the page, without sanitizing the render value. That said, the purpose of this article isn’t to explicate DOM XSS fully, but rather how to defend against it.
Example
On 1 of our Test HTML5 applications in that place is a DOM XSS vulnerability that tin last exploited via the next payload:
http://testhtml5.vulnweb.com/#/redir?url=javascript:alert("DOM XSS on: " + document.domain)Which would await something similar the next icon – an informational message amongst a uncomplicated alert. Note how the payload is stored inwards the GET request, making it suitable for Social Engineering attacks.
The higher upwardly is quite lilliputian but is an slow way to show our point. The payload is embedded inwards the URI in addition to so tin last easily made component division of a phishing campaign. The payload tin last manipulated to deface the target application using prompt stating, “Your session has expired. Please insert your password to refresh your session”. H5N1 uncomplicated nonetheless effective way to harvest passwords.
If nosotros dig deeper, nosotros reveal out that the #redir road is beingness executed past times to a greater extent than or less other file, called redir.html constitute here. If you lot stance the source of the page, the gist of the code is equally follows:
<script>
var redirUrl = decodeURIComponent(window.location.hash.slice(window.location.hash.indexOf("?url=")+5));
if (redirUrl) window.location = redirUrl;
</script>
Essentially nosotros are exploiting the window.location.hash source which is evaluated inwards an HTML Element Sink.
Remediation
Detecting DOM XSS is hard using purely server-side detection (i.e. HTTP requests), which is why providers similar Acunetix leverages DeepScan to create it. These payloads are never sent to the server due to beingness behind an HTML fragment (everything behind the # symbol).
As a result, the origin number is inwards the code (i.e. JavaScript) that is inwards the page. This agency that you lot should ever sanitize user input, irrespective of whether or non it is client-side.
If you lot get got to exercise user-input at whatever indicate inwards fourth dimension on your page, ever exercise it inwards the context of literal “text” in addition to never equally potential code. Avoid methods such as:
document.innerHTML
And instead exercise safer functions when using user input similar so:
document.innerText
document.textContent
This volition care for the previous payload nosotros showed equally merely text in addition to null else. Additionally, avoid using user input exclusively especially ones that tin affect:
The higher upwardly iii properties may manipulate the DOM hence leading to such vulnerabilities. Keep inwards heed that DOM XSS in addition to XSS are non mutually exclusive, important that your application tin around definitely last vulnerable to both XSS in addition to DOM XSS—even though XSS is usually constitute inwards dynamic pages in addition to DOM XSS inwards static ones. The skillful word is that if user input is handled properly equally a foundational marking (e.g. your framework), so you lot should last able to mitigate all XSS-based vulnerabilities.
For a corking cheat canvass on how to forestall DOM XSS entirely, I would highly recommend going over the OWASP DOM based XSS Prevention Cheat Sheet.
Conclusion
Lastly, leveraging a Web Application Scanner such equally DeepScan past times Acunetix volition greatly increase both the speed in addition to accuracy to which developers in addition to safety professionals tin observe vulnerabilities similar DOM XSS in addition to fix them in addition to thousands more.
