Intro to DOM-Based XSS Vulnerabilities

No comments
I’m sure if you are here you have heard of Cross Site Scripting, or as we love to abbreviate it, XSS. There are different types of course, but today I want to go into a specific one that is not often touched upon: the DOM-based Cross Site Scripting vulnerability.
Lets first go over what a DOM is. The abbreviation DOM stands for Document Object Model. It’s a way to represent and work with object in an HTML document. When a script gets executed, It is not viewed by the server and there are no protections against this vulnerability. This is ran only at execution time so Web Application Firewalls, Server-side protections, and generic framework protections will not stop this attack. The browser will provide the code with the DOM of the HTML page and where that script runs this allows it to access various functions and properties of the page.
This sort of Cross Site Scripting relies on inappropriate handling, which is all happening within the HTML data associated from its Document Object Model. Out of all of these objects in the DOM, there are a few different functions that an attacker can alter and command to do something other than what the function was originally designed to do.
Let’s imagine you have this web page and the URL is:
Then you view the source and the website contains the following code:
document.write(“Current URL : ” + document.baseURI);
If you were to send an HTTP request to the page in this format:
Surely enough your JavaScript code would get executed. The reason is because the page is writing whatever you typed in the URL to the page with the document.write function.
A cool feature is even if you look at the source code of the page you will not see the:
alert(1)
because it’s all happening in the DOM by executing the JavaScript code.
The part where this gets interesting, is that you can execute said malicious code on the page and use it to steal the cookies of a user and/or change the page’s behavior as you like.
I will do a brief demonstration below using Damn Vulnerable Web App (DVWA).
Let’s get started:
Below is the DOM based XSS section of the DVWA (Damn Vulnerable Web App).
1
Let’s first view the source of the page to see if any controls are put in place to sanitize the user input or items entered into the URL:
2
So, by looking at this source code, the web developer has tried to introduce a ‘simple pattern’ which will remove any references to the term <”script”. These measures are typically put in place to disable execution of JavaScript for the location of ?default=English” by adding in a tag.
Essentially, this developer is making a setting so that JavaScript code can not be executed by invoking the alert(“hello”) function.  In order to execute the malicious script, we will have to find another way.
Another common way to bypass this sort of control is to use what is called the “body onload=” function. You can insert the malicious script in the URL and send the link to the victim. You’ll need to use the select and block options to inject the body onload function or using an image tag.
We are now going to add an option select body onload script to the end of the URL:
3
Once we have this, we simply hit enter to load the page and script we have placed in the address bar to see the results.
4
You now have a nice kind message with my name on it! 😉
This is only a very brief introduction to DOM based XSS attacks.
I will go into how you can help prevent this in a later post.
(Never do this on a machine or website in which you do not have permission to execute this sort of action!)
(DVWA is a great learning tool for learning web application vulnerabilities.)
 
Wanna Chat? Add me on Twitter and LinkedIn
Veteran? Join our Slack

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s