DOM Based XSS
Hello Folks!
This is my 30th blog on web application security penetration testing. In this blog I will explain about DOM Based Cross Site Scripting.
In my last blog, I have explained about Stored Cross Site Scripting. Hope everyone liked it. If you haven’t read it yet please follow along.
What is DOM Based Cross Site Scripting?
When user supplied input is appended into DOM(Document Object Model) without proper input sanitization and encoding then application is vulnerable to DOM XSS.
Can we see alert() prompt in DOM XSS?
Yes we can if input is appending into DOM also be a part of Query string Parameter OR it is executing in DOM body.
How to Test DOM XSS?
1. Notice all input values, How are they gets read by DOM(Document Object Model) and gets processed.
2. Check for local storage key values, whether this key value accept malicious payload and on next visit after inject payload whether it is getting executed or not?
3. Below are the best targets vulnerable to DOM XSS. If any of the below given property or attribute value is taking user supplied input and appending it to DOM and executing it without validation then it is vulnerable to DOM XSS.
· document.URL
· document.baseURI
· document.write()
· document.writeln()
· document.referrer
· location.href
· location.search
· location.*
· window.name
· SomeDOMelement.innerHTML
· SomeDOMelement.outerHTML
Popular Sinks
- HTML Modification sinks
- document.write
- (element).innerHTML
- HTML modification to behaviour change
- (element).src (in certain elements)
- Execution Related sinks
- eval
- Document.GetElementByID()
- Document.GetElementByName()
Mental Notes:
- I have created simple JavaScript File and name it as Testxss.js. This file has logic written which takes user supplied input and without proper validation and sanitization it appends that parameter to the <div> element which has “id:message”.
- I have also created one HTML file name it as Index.html. This file calls Testxss.js file upon loaded to execute logic written in it and displayed output on webpage.
Below is the step by step POC which explains DOM XSS:
- Below is the code written in Index.html File.
2. This is how designer looks like for Index.html File.
3. Below is the code written inside JavaScript file Testxss.js.
4. When user supplied Blank Name into the Textbox, below message gets triggered from JS file.
5. When user supplied any random Name into the Textbox, that Name gets displayed onto the webpage.
6. Let’s run the localhost application into debugging mode to understand the logic written in JS file. I have passed below malicious payload which goes as a input to Name variable of the Testxss.js File
Payload Used: <img src=x onerror=alert(document.domain) >
As shown in below screen, malicious payload is assigned to the Name variable which is declared inside Testxss JS file.
7. After that in next line when string validation is passed as user supplied “Name is not empty” then else part of the application will gets executed and value of Name variable is assigned to innerHTML property of the <div> element which has “Id:message”
8. Upon loading on web browser notice our DOM XSS Payload is executed successfully. On the Left panel you can see, <img> tag is binded to <div> element and rendered as a part of it.
Some of my readers might think that “Is it really a DOM XSS or Reflected XSS? as URL of the browser has Name Query String Parameter which also renders malicious payload”
Answer is, “It is not a reflected XSS but it is a DOM based XSS” because If you remembered we have referenced our JavaScript file into Index.html file which takes user supplied input from Textbox and bind it to innerHTML property of the <div> element.
I hope everyone would like this blog. If you have any doubt about DOM XSS, Please drop a comment and I will try to reply with correct answer. In my next blog I will explain about Blind XSS.
Please do like and follow for more reads!
Thank!
