Intro to DOM-Based XSS Vulnerabilities
I’m sure if you are here you have heard of Cross Site Scripting, or as we love to abbreviate it, XSS. There are different types of course, but today I want to go into a specific one that is not often touched upon: the DOM-based Cross Site Scripting vulnerability.
Lets first go over what a DOM is. The abbreviation DOM stands for Document Object Model. It’s a way to represent and work with object in an HTML document. When a script gets executed, It is not viewed by the server and there are no protections against this vulnerability. This is ran only at execution time so Web Application Firewalls, Server-side protections, and generic framework protections will not stop this attack. The browser will provide the code with the DOM of the HTML page and where that script runs this allows it to access various functions and properties of the page.
This sort of Cross Site Scripting relies on inappropriate handling, which is all happening within the HTML data associated from its Document Object Model. Out of all of these objects in the DOM, there are a few different functions that an attacker can alter and command to do something other than what the function was originally designed to do.
Let’s imagine you have this web page and the URL is:
Then you view the source and the website contains the following code:
document.write(“Current URL : ” + document.baseURI);
If you were to send an HTTP request to the page in this format:
A cool feature is even if you look at the source code of the page you will not see the:
The part where this gets interesting, is that you can execute said malicious code on the page and use it to steal the cookies of a user and/or change the page’s behavior as you like.
I will do a brief demonstration below using Damn Vulnerable Web App (DVWA).
Let’s get started:
Below is the DOM based XSS section of the DVWA (Damn Vulnerable Web App).
Let’s first view the source of the page to see if any controls are put in place to sanitize the user input or items entered into the URL:
Another common way to bypass this sort of control is to use what is called the “body onload=” function. You can insert the malicious script in the URL and send the link to the victim. You’ll need to use the select and block options to inject the body onload function or using an image tag.
We are now going to add an option select body onload script to the end of the URL:
Once we have this, we simply hit enter to load the page and script we have placed in the address bar to see the results.
You now have a nice kind message with my name on it! 😉
This is only a very brief introduction to DOM based XSS attacks.
I will go into how you can help prevent this in a later post.
(Never do this on a machine or website in which you do not have permission to execute this sort of action!)
dvwa url: http://www.dvwa.co.uk/
(DVWA is a great learning tool for learning web application vulnerabilities.)
Veteran? Join our Slack