Skip to main content

DOM Based XSS



DOM Based XSS


DOM 
When  a web page is loaded, browser creates a Document Object Model. It is a platform and language-neutral interface that allows scripts to dynamically access and update the content, structure, and style of a document.
cc12be21-f1d4-41df-9273-43df953e87b3png

DOM-Based XSS : It is a Cross-Site-Scripting attack wherein the attack payload is executed as a result of modifying DOM environment in the victim’s browser used by itself.
The important thing to consider here that the HTTP response does not change but the client side code in the page behaves differently because of the malicious code injected by the attacker.
Note: DOM XSS can be executed in Chrome, therefore if you would like to repeat the steps mentioned below, it is recommended to use chrome browser. Firefox has an inbuilt protection against DOM-Based XSS therefore DOM attacks might not work in Firefox.

Few Findings in Wild
Target : Outbrain.com
Global Rank : 81
Rank in US: 55
If you open www.outbrain.com and go to their privacy policy, you might notice they have several links  under the Quick guide to contents.
cc12be21-f1d4-41df-9273-43df95png 
If you copy the link location of any of those links, the URL might look like as follows:
http://www.outbrain.com/legal/privacy#information_we_collect_automatically which involves an anchor tag that gives us a potential to test if it is vulnerable to DOM Based XSS by just sending a malicious Javascript after the anchor tag as follows:
  and the result will be as follows:
  2016-02-1613_52_08-privacypolicy_outbrain-epicpng

Now the question arise, why it has happened?
If you check the source code at the client side, you might notice that it is using a java script called http://www.outbrain.com/assets/javascripts/site.min.js?v=818dda9e6d42582ad7c0d8b80332b1b1
Open it into a new tab and search for "document.location.hash", you will find following code which is actually the root cause in this case which leads to DOM based XSS
if(document.location.hash){var a=$('[anchor="'+document.location.hash.substring(1)+'"]'

Another example
Target : http://recode.net/
One of the leading tech news site
If you open the URL, you will notice the “Follow” section at the bottom of the page and there if you move your cursor over to “RSS”, you might notice that it is using an anchor tag that will give us a potential to execute or test DOM XSS. The URL would look like as following:
http://recode.net/follow-us/#rss Now in order to execute a DOM based XSS just insert your malicious code after the anchor tag as follow:
 screenshot2016-03-12at113313png  and the result will be as following:
91d590c1-d73f-40ba-a767-b966859a2f60png 

Root Cause :
Chrome provides a very useful feature where we can debug an application from the client side which might help us to identify the root cause of the DOM or even identifying a DOM based XSS. Open Chorome Console and open following URL
screenshot2016-03-12at113313png, now the chrome console will automatically give you this warning:
pastedimage0png
For further details, click onto the link mentioned in Chrome Console, it will further redirect you to the exact malicious code which is responsible for DOM XSS. If you really want to make sure whether this is the only code which is malicious or causing a DOM XSS then you can use the debug option available in Chrome. Set a breakpoint where you feel the vulnerable code lies, and check the value of any parameter by using the command console.log(); , Here we are trying to check the value of "h", whether it is the real culprit for this XSS or not.
pastedimage01png
One you refresh the page using the same URL, you will notice in the console log that the value of h contains your malicious code which is trigerring the DOM XSS. You will notice that the parameter ‘h’ contains the value of your malicious code.
pastedimage02png
In this case , they are using old jquery packge which is vulnerable to DOM based XSS:
/*! jQuery v2.0.3 | (c) 2005, 2013 jQuery Foundation, Inc. | jquery.org/license
//@ sourceMappingURL=jquery-2.0.3.min.map

Another example:
Global Rank: 135
Rank in USA: 37
screenshot2016-03-12at121356png
screenshot2016-03-12at121733png

An important phenomena that has happened here, if you look at the screen shot, you might notice in the URL that the site has removed all the malicious characters from the URL
www.huffingtonpost.de/big-news/#imgsrc=xonerror=prompt1
But the XSS payload has been already executed before the application replaces the malicious characters. It would have been better to check the malicious characters before the payload executes but here developers have made a little mistake.

There are tons of applications that are vulnerable to DOM-Based XSS and it's quite an easy task for attackers to find out if an application is vulnerable to DOM based XSS and of course it's not very difficult to exploit the found vulnerability.
The root cause of DOM based XSS is the JavaScripts APIs that are vulnerable to DOM based XSS. Since deveopers uses the third party APIs very frequently because of various functionalities. But very often they forget to check whether it has some security loopholes or not because they just only focus on the functionalities. It is highly recommended to the developers whenever they try to use  a third party APIs, they should test and verify first whether it has some kind of bug or not. Moreovere keep an eye on available patches.



Comments

Popular posts from this blog

Splunk - Drop Down Management Dashboard for Attacks

Scenario: You might have many security devices as input resource and many of them have standard apps already designed for Splunk(Also available for free) but even then in some cases you would like to create your own Dashboards based on your own requirements especially when you would like to report to the management customers and so on. Here I will explain a Web Application Firewall as an input resource where we might have multiple services registered into WAF and in Splunk you would like to create a dashboard for management based on a drop down menu for different services.
To start with, we will use the same lookup that we have created in my previous blog. First you need to know what you would like to present in a dashboard. In my case, I am taking a simple scenario that I would like to present the number of attacks from a country that is happening to any particular service in a given period of time. It would also present some additional details like as follows: Time Source IP Country Act…

Why not a GDPR for India?

Why not a GDPR for India?
After the recent scandal from Cambridge Analytica, millions of people are concerned over the privacy of their data and so are the Indians. India, one of the biggest markets of Facebook is most exciting market for such companies to test their concepts on artificial intelligence and machine learning. Cheap internet, wide adoption of smartphones and a huge young population totally unaware of the consequences of using the unsafe internet has set the internet product companies to exploit high-value Intel and data generated from India in a much easier way. I will start today with where does India stand in the world of “world wide web or internet” usage. Below are some figures on the number of internet user in millions globally.


Number of Internet users in millions
As the data shows, India stands second in terms of the number of Internet users and it’s increasing at a very rapid rate. Though I must mention that at the moment, India has one of the lowest internet penetr…