DOM XSS attack
In short, Document Object Model (DOM) is the hierarchical structure objects of an HTML document, generated by the web-browser to represent the document. The utility of DOM is to easily access the contents of the document. An example of a simple structure of a DOM is the following:
W3C defines the standards of Document Object Model. The most commonly used nodes are:
- document_node: this is the root of the structure
- element_node: relating to a HTML tag (e.g. <body>)
- text_node: the text included in a node
- comment_node: HTML comment ( <!– … –> )
Some browsers (e.g. like Firefox or Chrome) have their own tools or plugins to explore and modify DOM.
Being a client-side attack, its success depends on the browser used by the victim. Nowadays, however, almost all browsers have been updated to prevent this type of attack.
In practice, DOM-based XSS occurs when the victim opens the malicious link in which there is an argument which is executed by the script. One of the main purposes of the attack is to steal session cookies because in this case the attacker can authenticate itself as admin in the webapp.
Example of attack
In this basic example we will see how to attack a victim through an HTML static page:
can pass as argument a variable in a GET request, e.g.:
Attacker replaces variable “example” with his own malicious script, e.g.:
Then attacker sends malicious link to a victim (also performing “URL masking” for mask his code to not make it visible in the link) which opens this link with his browser.
Victim browser, after sending request to webserver via malicious link, then receive response from site.
Browser, now, builds DOM and then, when it parses HTML pages and reachs attacker’s script, runs this script.
As you can see this type of attack does not involve server.
How to avoid DOM XSS attack
In some browsers, moreover, there are special “add-on” that help us to protect ourselves from this type of attack.
Another very important thing for the defense is to never click on external and unreliable links.