Cross Site Scripting – DOM based

In my previous articles about Cross Site Scripting (XSS) you got a definition on XSS. Today we are talking about a new kind of attacks, the DOM-based XSS.

Lets recall: In regular XSS  Javascript code is send to a webapplication. The webapplication does not propperly check the values it gets as parameters and puts it in the website, which is delivered to the webclient. In DOM-based XSS the Code is not included by the Web server itself, but by the page. A page evaluates the URL and includes certain parameter from it.

To make an easy example, create a small website and include the following JavascriptCode inside:

<script>
document.write(unescape(document.URL));
</script>

save the code to your disk and open it with a browser. Now change the URL to :

[your filename]l#<script>alert(123);</script>

A alert window should pop up saying 123.

Now lets see what happened. When we created the webpage, we included some code, which evaluated the URL location. To get rid of the strange signes, we unescaped the URL. The unescaped URL was then written to the page by the javascript. Inside the location there was your <script>alert(123);</script> which now was included in the page. During the parsing this triggered the alert window.

The interesting thing about this vulnerability is that it can not always be detected by the webserver and even static pages are vulnerable. The  reason why it is not always detected is, that the part after the #-sign is interpreted as a target within the webpage. Therefore it is not transfered to the webserver.

The vulnerability is not limited to the part after the #-sign. It might also be in parameters, or referrers of a page.

Just take a look by yourself, to see which pages are vulnerable on your site. Search for

  • document.URL
  • document.location
  • document.refrerrer
  • unescape

This list is by far not complete, but it is a good starting point for the moment.

Be aware that this kind of vulnerabilities can be found by code review, which can be done remote. An attacker has always access to the code of the webpage. He can perform automatic searches for keywords and then exploit the vulnerability manually.