What is DOM Based Cross-Site Scripting? When an application uses javascript which accepts data from unknown or un-sanitized sources like GET url and sinks this data to generate dynamic HTML using javascript function like document.write() to inject the malicious script to the HTML, DOM based XSS arises. When the attacker is able to inject HTML or JavaScript code via input and client or server is not able to encode it or validate it, injected code is executed by the browser. This will lead to information disclosure to an attacker which causes serious impact like account takeover of a victim.Example:
What is DOM Based Cross-Site Scripting?
When an application uses javascript which accepts data from unknown or un-sanitized sources like GET url and sinks this data to generate dynamic HTML using javascript function like document.write() to inject the malicious script to the HTML, DOM based XSS arises.
When the attacker is able to inject HTML or JavaScript code via input and client or server is not able to encode it or validate it, injected code is executed by the browser. This will lead to information disclosure to an attacker which causes serious impact like account takeover of a victim.
Example:
Suppose an application is having a feature of searching the products from the product name via following URL
Suppose an application is having a feature of searching the products from the product name via following URL
https://www.mystore.com/search?searchtext=book
https://www.mystore.com/search?searchtext=book
If the parameter searchtext is reflected anywhere in HTML, there is a possibility of an XSS. Let's assume searchtext parameter is reflected like:
If the parameter searchtext is reflected anywhere in HTML, there is a possibility of an XSS. Let's assume searchtext parameter is reflected like:
<p>
Search Results for the
<a id ="searchtext">
</a>
</p>
<script>
document.querySelector('searchtext').innerHTML = location.search.substring(3);
<script>
<p>
Search Results for the
<a id ="searchtext">
</a>
</p>
<script>
document.querySelector('searchtext').innerHTML = location.search.substring(3);
<script>
Search Results for the
<a id ="searchtext">
</a>
</p>
<script>
document.querySelector('searchtext').innerHTML = location.search.substring(3);
<script>
If XSS prevention is not applied to the searchtext parameter, an attacker can exploit it to generate a DOM based XSS. An Attacker can provide the following payload to the search text parameter.
If XSS prevention is not applied to the searchtext parameter, an attacker can exploit it to generate a DOM based XSS. An Attacker can provide the following payload to the search text parameter.
https://www.mystore.com/search?searchtext=book<script>exploit_script();</script>
https://www.mystore.com/search?searchtext=book<script>exploit_script();</script>
When the above payload is used by the javascript and injected to the HTML dynamically, code would be look like:
When the above payload is used by the javascript and injected to the HTML dynamically, code would be look like:
<p> Search Results for the <a id ="searchtext"> book<script>exploit_script();</script> </a>
</p>
<p>
Search Results for the
<a id ="searchtext">
book<script>exploit_script();</script>
</a>
</p>
As we can see malicious code is injected in the source code and it will be executed by the browser.
As we can see malicious code is injected in the source code and it will be executed by the browser.
functions to look for:
functions to look for:
document.write()
document.writeln()
document.domain
someDOMElement.innerHTML
someDOMElement.outerHTML
someDOMElement.insertAdjacentHTML
someDOMElement.onevent
document.write()
document.writeln()
document.domain
someDOMElement.innerHTML
someDOMElement.outerHTML
someDOMElement.insertAdjacentHTML
someDOMElement.onevent
document.writeln()
document.domain
someDOMElement.innerHTML
someDOMElement.outerHTML
someDOMElement.insertAdjacentHTML
someDOMElement.onevent
jQuery functions to look for:
jQuery functions to look for:
add()
after()
append()
animate()
insertAfter()
insertBefore()
before()
html()
prepend()
replaceAll()
replaceWith()
wrap()
wrapInner()
wrapAll()
has()
constructor()
init()
index()
jQuery.parseHTML()
$.parseHTML()
add()
after()
append()
animate()
insertAfter()
insertBefore()
before()
html()
prepend()
replaceAll()
replaceWith()
wrap()
wrapInner()
wrapAll()
has()
constructor()
init()
index()
jQuery.parseHTML()
$.parseHTML()
after()
append()
animate()
insertAfter()
insertBefore()
before()
html()
prepend()
replaceAll()
replaceWith()
wrap()
wrapInner()
wrapAll()
has()
constructor()
init()
index()
jQuery.parseHTML()
$.parseHTML()
Reference:
Reference:
0 Comments