–       DOM-based XSS attacks –

(CSCI 5234, Supplementary/Preliminary information for slides 17-19 of XSS)

“The Document Object Model (DOM) is a web browser's hierarchical representation of the elements on the page. Websites can use JavaScript to manipulate the nodes and objects of the DOM, as well as their properties. DOM manipulation in itself is not a problem. In fact, it is an integral part of how modern websites work. However, JavaScript that handles data insecurely can enable various attacks. DOM-based vulnerabilities arise when a website contains JavaScript that takes an attacker-controllable value, known as a source, and passes it into a dangerous function, known as a sink(https://portswigger.net/web-security/dom-based)

NOTE: In a DOM-based XSS, both the source and the sink exist within the same HTML page.

“To deliver a DOM-based XSS attack, you need to place data into a source so that it is propagated to a sink and causes execution of arbitrary JavaScript.” (https://portswigger.net/web-security/cross-site-scripting/dom-based)

“A source is a JavaScript property that accepts data that is potentially attacker-controlled. An example of a source is the location.search property because it reads input from the query string, which is relatively simple for an attacker to control. Ultimately, any property that can be controlled by the attacker is a potential source.” (https://portswigger.net/web-security/dom-based)

Potential sources

Potential sinks

–       window.location returns the URL of the current page.

–       window.location.hostname returns the hostname in the URL.

–       window.location.search returns the querystring part of a URL, including the question mark (?).

e.g., Suppose the url is http://www.abc.com/?name=John&age=20.

location.search returns ‘?name=John&age=20’.

 

–       location.hash returns the anchor part of the URL, including the hash sign (#).

–       document.domain returns the domain name of the server where the current document was loaded from.

–       document.referrer returns the referring URL.

–       document.cookie returns the cookie.

NOTE: Visit the W3schools site at https://www.w3schools.com/js/default.asp#gsc.tab=0 to learn more details.

 

–       Eval( <expression>) executes the <expression> as JavaScript code. (https://www.w3schools.com/jsref/jsref_eval.asp)

 

“A hacker can modify the eval() method's string if it comes from the response. Hackers can manipulate and modify the data coming from external storage.”

(https://www.c-sharpcorner.com/article/eval-and-hackers-dream-in-javascript/)

 

–       innerHTML gets or sets the HTML content of an element. (https://www.w3schools.com/jsref/prop_html_innerhtml.asp)

e.g., document.getElementById("demo").innerHTML = "I have changed!";

document.getElementById("demo").innerHTML = "<script> … </script>";

 

Further discussions about DOM Based XSS:

-        DOM Based XSS, OWASP: https://owasp.org/www-community/attacks/DOM_Based_XSS

-        Mutation XSS in Google Search: https://www.acunetix.com/blog/web-security-zone/mutation-xss-in-google-search/

-        XSS on Google Search - Sanitizing HTML in The Client? https://www.youtube.com/watch?v=lG7U3fuNw3A