Skip to main content

DOM Based XSS



DOM Based XSS


DOM 
When  a web page is loaded, browser creates a Document Object Model. It is a platform and language-neutral interface that allows scripts to dynamically access and update the content, structure, and style of a document.
cc12be21-f1d4-41df-9273-43df953e87b3png

DOM-Based XSS : It is a Cross-Site-Scripting attack wherein the attack payload is executed as a result of modifying DOM environment in the victim’s browser used by itself.
The important thing to consider here that the HTTP response does not change but the client side code in the page behaves differently because of the malicious code injected by the attacker.
Note: DOM XSS can be executed in Chrome, therefore if you would like to repeat the steps mentioned below, it is recommended to use chrome browser. Firefox has an inbuilt protection against DOM-Based XSS therefore DOM attacks might not work in Firefox.

Few Findings in Wild
Target : Outbrain.com
Global Rank : 81
Rank in US: 55
If you open www.outbrain.com and go to their privacy policy, you might notice they have several links  under the Quick guide to contents.
cc12be21-f1d4-41df-9273-43df95png 
If you copy the link location of any of those links, the URL might look like as follows:
http://www.outbrain.com/legal/privacy#information_we_collect_automatically which involves an anchor tag that gives us a potential to test if it is vulnerable to DOM Based XSS by just sending a malicious Javascript after the anchor tag as follows:
  and the result will be as follows:
  2016-02-1613_52_08-privacypolicy_outbrain-epicpng

Now the question arise, why it has happened?
If you check the source code at the client side, you might notice that it is using a java script called http://www.outbrain.com/assets/javascripts/site.min.js?v=818dda9e6d42582ad7c0d8b80332b1b1
Open it into a new tab and search for "document.location.hash", you will find following code which is actually the root cause in this case which leads to DOM based XSS
if(document.location.hash){var a=$('[anchor="'+document.location.hash.substring(1)+'"]'

Another example
Target : http://recode.net/
One of the leading tech news site
If you open the URL, you will notice the “Follow” section at the bottom of the page and there if you move your cursor over to “RSS”, you might notice that it is using an anchor tag that will give us a potential to execute or test DOM XSS. The URL would look like as following:
http://recode.net/follow-us/#rss Now in order to execute a DOM based XSS just insert your malicious code after the anchor tag as follow:
 screenshot2016-03-12at113313png  and the result will be as following:
91d590c1-d73f-40ba-a767-b966859a2f60png 

Root Cause :
Chrome provides a very useful feature where we can debug an application from the client side which might help us to identify the root cause of the DOM or even identifying a DOM based XSS. Open Chorome Console and open following URL
screenshot2016-03-12at113313png, now the chrome console will automatically give you this warning:
pastedimage0png
For further details, click onto the link mentioned in Chrome Console, it will further redirect you to the exact malicious code which is responsible for DOM XSS. If you really want to make sure whether this is the only code which is malicious or causing a DOM XSS then you can use the debug option available in Chrome. Set a breakpoint where you feel the vulnerable code lies, and check the value of any parameter by using the command console.log(); , Here we are trying to check the value of "h", whether it is the real culprit for this XSS or not.
pastedimage01png
One you refresh the page using the same URL, you will notice in the console log that the value of h contains your malicious code which is trigerring the DOM XSS. You will notice that the parameter ‘h’ contains the value of your malicious code.
pastedimage02png
In this case , they are using old jquery packge which is vulnerable to DOM based XSS:
/*! jQuery v2.0.3 | (c) 2005, 2013 jQuery Foundation, Inc. | jquery.org/license
//@ sourceMappingURL=jquery-2.0.3.min.map

Another example:
Global Rank: 135
Rank in USA: 37
screenshot2016-03-12at121356png
screenshot2016-03-12at121733png

An important phenomena that has happened here, if you look at the screen shot, you might notice in the URL that the site has removed all the malicious characters from the URL
www.huffingtonpost.de/big-news/#imgsrc=xonerror=prompt1
But the XSS payload has been already executed before the application replaces the malicious characters. It would have been better to check the malicious characters before the payload executes but here developers have made a little mistake.

There are tons of applications that are vulnerable to DOM-Based XSS and it's quite an easy task for attackers to find out if an application is vulnerable to DOM based XSS and of course it's not very difficult to exploit the found vulnerability.
The root cause of DOM based XSS is the JavaScripts APIs that are vulnerable to DOM based XSS. Since deveopers uses the third party APIs very frequently because of various functionalities. But very often they forget to check whether it has some security loopholes or not because they just only focus on the functionalities. It is highly recommended to the developers whenever they try to use  a third party APIs, they should test and verify first whether it has some kind of bug or not. Moreovere keep an eye on available patches.



Comments

Popular posts from this blog

Cloud based WAF sucks more than you thought - Privacy?

In my  previous  post, I have described a basic diagram of WAF into any network. Now imagine if we just place WAF into a cloud and for an easy explanation,instead of reinventing the wheel, I will refer to the Sucuri’s  diagram  here   It is clearly stated in this diagram that Sucuri's network will protect your website against hackers who may perform injection attacks like XSS, SQL Injection, Command injection etc. Now in real life to an end user, it is quite complicated to figure out whether there is a WAF in place or not and actually why an end user would be interested. His/Her only concern would be that their personal information should be properly taken care off while they’re visiting a website. But as an end customer how would you make sure that the information that you are providing will be taken care of and without your consent, it won’t be shared with any third party. Well it is quite a complex question, especially for the people who have nothing to do with the IT Securit

My experience with Bug Bounties

My experience with Bug Bounties I wanted to polish my pentest skills and bug bounties are certainly a way where you get to know already hardened real world applications. On the one hand you get to know some new state of art security systems like various kinds of WAF and you can continuously learn to penetrate them. On the other hand once you start digging  into  the application you get to know about the perspective of different mind set of the developers, how do they mitigate a problem that further gives you a better understanding of mitigating a single problem with different perspectives. Last but not least, you can make some extra perks. Following the same path, I started to check for Bug Bounties and I came across a platform called  Firebounty  which keeps you updated about the newest bug bounties in market out of many other such platform. After crawling through many potential services, I have found one that has raised interest in me called  www.algolia.com , who’s main bu

Splunk - Drop Down Management Dashboard for Attacks

Scenario: You might have many security devices as input resource and many of them have standard apps already designed for Splunk(Also available for free) but even then in some cases you would like to create your own Dashboards based on your own requirements especially when you would like to report to the management customers and so on. Here I will explain a Web Application Firewall as an input resource where we might have multiple services registered into WAF and in Splunk you would like to create a dashboard for management based on a drop down menu for different services. To start with, we will use the same lookup that we have created in my previous blog. First you need to know what you would like to present in a dashboard. In my case, I am taking a simple scenario that I would like to present the number of attacks from a country that is happening to any particular service in a given period of time. It would also present some additional details like as follows: