DOM XSS attack

   

DOM XSS attack

In short, Document Object Model (DOM) is the hierarchical structure objects of an HTML document, generated by the web-browser to represent the document. The utility of DOM is to easily access the contents of the document. An example of a simple structure of a DOM is the following:

W3C defines the standards of Document Object Model. The most commonly used nodes are:

  • document_node: this is the root of the structure
  • element_node: relating to a HTML tag (e.g. <body>)
  • text_node: the text included in a node
  • comment_node: HTML comment ( <!– … –> )

Some browsers (e.g. like Firefox or Chrome) have their own tools or plugins to explore and modify DOM.

Javascript also is a tool that can access and manipulate DOM, changing HTML structure of a document.

The power of DOM-based XSS attack, therefore, is that it occurs client-side and it doesn’t involve web-server, then this type of attack is difficult to detect. It happens when a webapp includes client-side javascript that processes data in an unsafe way.

Being a client-side attack, its success depends on the browser used by the victim. Nowadays, however, almost all browsers have been updated to prevent this type of attack.

In practice, DOM-based XSS occurs when the victim opens the malicious link in which there is an argument which is executed by the script. One of the main purposes of the attack is to steal session cookies because in this case the attacker can authenticate itself as admin in the webapp.

Example of attack

In this basic example we will see how to attack a victim through an HTML static page:

 http://site.com/foo.html

 can pass as argument a variable in a GET request, e.g.:

 http://site.com/foo.html?var=example

Attacker replaces variable “example” with his own malicious script, e.g.:

 http://site.com/foo.html?var=script_malicious(code)

Then attacker sends malicious link to a victim (also performing “URL masking” for mask his code to not make it visible in the link) which opens this link with his browser.

Victim browser, after sending request to webserver via malicious link, then receive response from site.

Browser, now, builds DOM and then, when it parses HTML pages and reachs attacker’s script, runs this script.

As you can see this type of attack does not involve server.

 

How to avoid DOM XSS attack

The simplest method to avoid DOM-based XSS is to disable JavaScript support in the browser, so that attacks pointing to JavaScript have no effect.

In some browsers, moreover, there are special “add-on” that help us to protect ourselves from this type of attack.

Another very important thing for the defense is to never click on external and unreliable links.

0 0 votes
Article Rating
Subscribe
Notify of
guest
0 Comments
Inline Feedbacks
View all comments