DOM XSS attack DOM XSS attack

DOM XSS attack

In short, Document Object Model (DOM) is the hierarchical structure objects of an HTML document, generated by the web-browser to represent the document. The utility of DOM is to easily access the contents of the document. An example of a simple structure of a DOM is the following:

W3C defines the standards of Document Object Model. The most commonly used nodes are:

document_node: this is the root of the structure

element_node: relating to a HTML tag (e.g. <body>)

text_node: the text included in a node

comment_node: HTML comment ( <!– … –> )

Some browsers (e.g. like Firefox or Chrome) have their own tools or plugins to explore and modify DOM.

Javascript also is a tool that can access and manipulate DOM, changing HTML structure of a document.

The power of DOM-based XSS attack, therefore, is that it occurs client-side and it doesn’t involve web-server, then this type of attack is difficult to detect. It happens when a webapp includes client-side javascript that processes data in an unsafe way.

Being a client-side attack, its success depends on the browser used by the victim. Nowadays, however, almost all browsers have been updated to prevent this type of attack.

In practice, DOM-based XSS occurs when the victim opens the malicious link in which there is an argument which is executed by the script. One of the main purposes of the attack is to steal session cookies because in this case the attacker can authenticate itself as admin in the webapp.

–

Example of attack

In this basic example we will see how to attack a victim through an HTML static page:

http://site.com/foo.html

can pass as argument a variable in a GET request, e.g.:

http://site.com/foo.html?var=example

Attacker replaces variable “example” with his own malicious script, e.g.:

http://site.com/foo.html?var=script_malicious(code)

Then attacker sends malicious link to a victim (also performing “URL masking” for mask his code to not make it visible in the link) which opens this link with his browser.

Victim browser, after sending request to webserver via malicious link, then receive response from site.

Browser, now, builds DOM and then, when it parses HTML pages and reachs attacker’s script, runs this script.

As you can see this type of attack does not involve server.

How to avoid DOM XSS attack

The simplest method to avoid DOM-based XSS is to disable JavaScript support in the browser, so that attacks pointing to JavaScript have no effect.

In some browsers, moreover, there are special “add-on” that help us to protect ourselves from this type of attack.

Another very important thing for the defense is to never click on external and unreliable links.

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.