A Practical Guide to DOM Based XSS | Lucideus Research

DOM Based XSS (or as it is called in some texts, “type-0 XSS”) is an XSS attack wherein the attack payload is executed as a result of modifying the DOM “environment” in the victim’s browser used by the original client side script, so that the client side code runs in an “unexpected” manner. That is, the page itself (the HTTP response that is) does not change, but the client side code contained in the page executes differently due to the malicious modifications that have occurred in the DOM environment.

This is in contrast to other XSS attacks (stored or reflected), wherein the attack payload is placed in the response page (due to a server side flaw).[1]

                                                                                 VIDEO POC


                                                    Protection from DOM Based XSS

HTML Escape then JavaScript Escape Before Inserting Untrusted Data into HTML Subcontext within the Execution Context

Example Dangerous HTML Methods

Attributes
 element.innerHTML = "<HTML> Tags and markup";
 element.outerHTML = "<HTML> Tags and markup";

Methods
 document.write("<HTML> Tags and markup");
 document.writeln("<HTML> Tags and markup");

Guideline
To make dynamic updates to HTML in the DOM safe, OWASP recommend
a) HTML encoding, and then
b) JavaScript encoding all untrusted input, as shown in these examples:

 element.innerHTML = "<%=Encoder.encodeForJS(Encoder.encodeForHTML(untrustedData))%>";
 element.outerHTML = "<%=Encoder.encodeForJS(Encoder.encodeForHTML(untrustedData))%>";

document.write("<%=Encoder.encodeForJS(Encoder.encodeForHTML(untrustedData))%>");
document.writeln("<%=Encoder.encodeForJS(Encoder.encodeForHTML(untrustedData))%>");

Here we are sharing one example for protection against DOM based XSS for detailed reference please refer OWASP DOM Based XSS Cheat List Sheet

Post a Comment

0 Comments