Thursday, 14 September 2017

JavaScript Dangerous Functions (Part 1) - HTML Manipulation

1. Introduction to HTML Manipulation Functions 

When a method or operation allows HTML manipulation if it is possible to control, even partially, an argument, then it is possible to manipulate, to some extent the HTML and consequently gain control of the user interface or execute JavaScript using classic Cross Site Scripting attacks. 

Data flow starts from Sources (input data that could be tainted) and ends to Sinks (functions potentially dangerous).

In software security the Sources[*] are to be considered starting points where untrusted input data is taken by an application.

There are two types of input sources: Direct and Indirect. In this next articles, we will analyze the various types of Direct/Indirect input and how malicious JavaScript code can cause damage by exploiting incorrect programming techniques.

In software security the Sinks[*] are meant to be the points in the flow where data depending from sources is used in a potentially dangerous way resulting in loss of Confidentiality, Integrity or Availability (the CIA triad).

This means that a function is a Sink if its behavior is generally safe but could be dangerous with a tainted input data.

To understand the difference between Source and tainted Source take a look to the following code:

    var name = document.URL.indexOf("name=") + 5;  <- TAINTED SOURCE
    document.write("Welcome " + 
    document.URL.substring(name, document.URL.length)); <- SINK
Source:  document.URL
Sink:      document.write()
Result:   document.write(“<script>alert(document.cookie)</script>”);

The exploit will take place when visiting the following URL:


* Glossary 
Sources: Sources are all the DOM Properties that can be influenced by an attacker. 
Sinks: Sinks are all the DOM Properties, JavaScript functions and other Client-side entities that can lead to or influence Client-side code execution.

1.1  Table of dangerous JavaScript functions/properties for HTML Manipulation

Here below we report a table with the principal sinks that allow HTML manipulation which likely will result JavaScript execution.

Function Name


document.write(“<b>” + userControlledVal + “</b>”);
document.writeln("<b>" + userControlledVal + "</b>");
divElem.innerHTML = “Hello ” + userControlledVal
divElem.outerHTML = "<div>Hello " + userControlledVal + "</div>"
divElem.insertAdjacentHTML("","<b>"+ userControlledVal + "</b>");)

2.    Differences between document.write functions and properties like innerHTML

The document.write method: 

Let's take functions like document.write (or document.writeln) as an example to explain better the Sink and let's see the difference between this function and for example, the property innerHTML.

As we can see, the document.write goes to operate in a direct way as Sink writing (output) the malicious code entered by a user who checks the value, going, in fact, to the following URL: 


 And, by analyzing the page code:

    var pos = document.URL.indexOf("foo=") + 4; <- TAINTED SOURCE
    document.write(documemt.URL.substring(pos, document.URL.length)); <- SINK
We can see that the Sink in question, therefore, the document.write will have the task of printing screen the data value inserted into the function as an argument, and though having passed the user argument of malicious JavaScript code, then the function will only unintentionally execute writing in the DOM code in question, then:

Building up the browser side, then Client-side, a popup containing the cookie values ​​of the current user session.

The innerHTML method: 

Concerning the use of the innerHTML method, and, of how this can be abused by an object controlled directly by a user, we can make a more detailed example, then let’s take the following code:
<div id="nm">John Doe</div>
    var name =; <- SOURCE
    document.getElementById("nm").innerHTML = name; 
As you can see, if we call the innerHTML method to retrieve the information, nothing happens, even in the case that instead of the name "John Doe" there has been the malicious JavaScript code; Instead let’s take another example:
<div id="nm">John Doe</div>
    var pos = document.URL.indexOf("name=") + 5;
    var name = document.URL.substring(pos, document.URL.length);  <- TAINTED

    document.getElementById("nm").innerHTML = name;  <- SINK

Following this example script and browsing its URL:


In this case, the browser will return us a window that is to show us that our JavaScript code passed to the URL parameter name, was executed.

2.1  Examples of vulnerable source code for the HTML Manipulation vulnerabilities

At this point we can do is give a few examples so you can see the various existing possibilities that allow you to identify and subsequently Exploiting a vulnerability in HTML Manipulation type, then:

  • DOM Based Cross-Site Scripting 
  • Stored DOM Based Cross-Site Scripting 
  • Others

Then we will see practical examples and in the next step will explain how you can detect these types of vulnerabilities through BlueClosure BCDetect and how exploit them.

DOM Based Cross-Site Scripting (DOM XSS):

So, to explain this type of vulnerability, we can also take one of the above examples that made it very simple:
Taking the following vulnerable code:
    var pos = document.URL.indexOf("foo=") + 4;
    document.write(document.URL.substring(pos, document.URL.length));
Source:  document.URL
Sink:      document.write()
Result:   document.write(“<script>alert(document.cookie)</script>”);

The attack is possible to a Client-side level (this due to the # fragment identifier).

To exploiting this attack just go to the following URL and specify the malicious code in the “foo=” parameter:


Stored DOM Based Cross-Site Scripting (Stored DOM XSS)

Let's see an example of this type of vulnerability where unlike the first, we can see that the malicious code will first be saved in the local Storage of the HTML5 (only recent browsers support Storage feature), then, browse the following URL:

     http://example.tld/store.html?name=<img src=z onerror='alert(document.cookie)' >

Below the vulnerable code of the page:
    var pos = document.URL.indexOf("name=") + 5;
    var name = document.URL.substring(pos, document.URL.length);
    decodeURI(name); = name;
As mentioned above, the "name" is saved in the browser Storage.

Now to exploit this type of vulnerability, let's see what happens if we go to visit (in relation to previous page) the following welcome page URL:


With the source code of the page:
    var element = document.getElementById("header");
    var name =;
    element.innerHTML = "Hello, " + name;
Source:   document.URL
Sink:       element.innerHTML
Result:    element.innerHTML = “Hello, <img src=z onerror='alert(document.cookie)' >“;

Surely we would have a nasty surprise with a popup alert which show the cookie data for the current user session.
A malicious user could retrieve the following example data to make unauthorized access by your users.


  1. This is an awesome post. Really very informative and creative contents. This concept is a good way to enhance knowledge. I like it and help me to development very well. Thank you for this brief explanation and very nice information. Well, got good knowledge.
    WordPress development company in Chennai

  2. Most of the time we don`t even understand full risks, but it is essential to think about the security and safety of the scripts that you use.

  3. شرکت تلکا هاست پیشرو در میزبانی انواع وب سایت و هم چنین دارای انواع هاست فوق ارزان با کنترل پنل سی پنل میباشد.حتما از سایت ما دیدن کنید و از قیمت های مناسب برای انواع سرویس های وب و ثبت انواع دامنه شگفت زده شوید.

  4. Nice, how about when you already get the cookie of your target?

  5. How to make yahoo my homepage on Firefox?

    If you have no idea about how to make yahoo my homepage on Firefox, go through the steps mentioned here . First of all, launch the Firefox browser and then click on the Menu icon . Choose the Preferences icon under it. Now, under the General page, click on Show my home page option. Next, under the Home Page field, you need to enter Now, Yahoo will be made as your default homepage for Firefox browser.

  6. How to Sync Yahoo Mail with Android?

    In the era of smartphones, many Yahoo users want to know how to sync Yahoo Mail with their devices. For this, firstly, you need to install the Yahoo Mail app and then add Yahoo Mail. Now, open your device's ‘Settings’ app, and tap ‘Accounts’ and click ‘Yahoo.’ Further tap your Yahoo Mail account, and select ‘Sync Contacts’ to turn it 'On.' This will sync your Yahoo Contacts on your Android's address book.

    how to sync yahoo mail

  7. Wow, What an Outstanding post. I found this too much informatics. It is what I was seeking for. I would like to recommend you that please keep sharing such type of info.If possible, Thanks.

  8. Ucuz, kaliteli ve organik sosyal medya hizmetleri satın almak için Ravje Medyayı tercih edebilir ve sosyal medya hesaplarını hızla büyütebilirsin. Ravje Medya ile sosyal medya hesaplarını organik ve gerçek kişiler ile geliştirebilir, kişisel ya da ticari hesapların için Ravje Medyayı tercih edebilirsin. Ravje Medya internet sitesine giriş yapmak için hemen tıkla:

    İnstagram takipçi satın almak için Ravje Medya hizmetlerini tercih edebilir, güvenilir ve gerçek takipçilere Ravje Medya ile ulaşabilirsin. İnstagram takipçi satın almak artık Ravje Medya ile oldukça güvenilir. Hemen instagram takipçi satın almak için Ravje Medyanın ilgili sayfasını ziyaret et: instagram takipçi satın al

    Tiktok takipçi satın al istiyorsan tercihini Ravje Medya yap! Ravje Medya uzman kadrosu ve profesyonel ekibi ile sizlere Tiktok takipçi satın alma hizmetide sunmaktadır. Tiktok takipçi satın almak için hemen tıkla: tiktok takipçi satın al

    İnstagram beğeni satın almak için Ravje medya instagram beğeni satın al sayfasına giriş yap, hızlı ve kaliteli instagram beğeni satın al: instagram beğeni satın al

    Youtube izlenme satın al sayfası ile hemen youtube izlenme satın al! Ravje medya kalitesi ile hemen youtube izlenme satın almak için tıklayın: youtube izlenme satın al

    Twitter takipçi satın almak istiyorsan Ravje medya twitter takipçi satın al sayfasına tıkla, Ravje medya güvencesi ile organik twitter takipçi satın al: twitter takipçi satın al

  9. Pretty useful article. I merely stumbled upon your internet site and wanted to say that I’ve very favored learning your weblog posts. Any signifies I’ll be subscribing with your feed and I hope you publish once additional soon. 메이저사이트

  10. then it is possible to manipulate, Buy A Custom Essay to some extent the HTML and consequently gain control of the user interface or execute JavaScript using classic Cross Site Scripting attacks.

  11. On Google, three things could be causing your Gmail account not to open. These conflict with other software on your system, a cache in your browser that has to be cleared, and a temporary outage of the Gmail servers. So, if you’re Gmail not opening in your Chrome browser, then extensions or add-ons can also cause this issue.

  12. This comment has been removed by the author.

  13. This comment has been removed by the author.

  14. Carpet dry cleaning Point Cook is a great option for those looking for a quick and efficient way to clean their carpets. It is also a great choice for those with allergies or asthma, as it does not produce any dust or fumes.

  15. This comment has been removed by the author.

  16. JuliasNetwork bisa dengan mudah kamu temukan di google hanya dengan memasukkan "OTOSLOT" pada mesin pencarian di google. Kamu juga bisa ikutin segala jenis bonus dan event yang ada pada situs resmi kami tentunya hanya di Agen Slot Pulsa Tergacor.
    Website Permainan judi slot online memanglah menjadi produk andalan OTOSLOT saat ini, dapat dilihat dari grafik permainan judi slot online indonesia yang berkembang secara cepat.

  17. Customers in Southern California would get a free six-inch sub and hot soup when they buy a six-inch sub and a large drink on rainy days. In 2010, Subway provided a “Subway pod store” for workers constructing 1 World Trade Center, which rose up as the building expanded for easy access.
    Mount St. Helens

    Facts About Subway

    Fun Facts about Friday

  18. Very nice post. I simply stumbled upon your blog and wanted to say that I have really enjoyed browsing your weblog posts. I’m hoping you write once more very soon!

  19. İnstagram takipçi satın al! İnstagram takipçi sitesi ile takipçi satın al sende sosyal medyada fenomen olmaya bir adım at. Sende hemen instagram takipçi satın almak istiyorsan tıkla:

    1- takipçi satın al

    2- takipçi satın al

    3- takipçi satın al


  20. CEA Aviation is one of the greatest pilot training schools in the country; if you want to be a skilled pilot, this is the place to be. Don't miss out on this opportunity to attend DGCA Ground Classes in delhi facility

  21. Open it and play the free demo version the place you get free spins for 1,000 credit. Although that is unique to 888Casino, you don't need to|need not|needn't} spend actual cash if you want to|if you want to} play this Slot machine. If 먹튀사이트 먹튀프렌즈3 we skip the fact that|the truth that} a lot of the characters in the game look Japanese somewhat than Chinese, this fun Slot machine is a 3x3 game with eight paylines.

  22. A soldier in his twenties was listed as having suffered blast accidents. Contacted by Reuters, the person stated he remembered little, solely that “the fighting was fierce.” He spoke on the situation of anonymity. The commander of the Western Military District, considered one of Russia’s most senior officers, demanded a briefing on the situation and “ordered that Hrakove should not be surrendered,” additional pocket book entries stated. According to official information, the commander at the time was Colonel-General Alexander Zhuravlyov, since 메리트카지노 fired by Putin. Independent Russian navy analysts CIT have stated, nonetheless, that Zhuravlyov was changed by July by Lieutenant-General Andrei Sychevoi. Kharkiv regional police stated Ukrainian investigators had found 22 torture chambers across newly liberated cities and villages in the area.

  23. Its very interesting while reading it,thank you for posting such a good article. ทางเข้าเล่น joker

  24. Wow, this post is amazing. This was too technological for my tastes. I have found what I was looking for. I'd want to urge you to keep sharing this kind of information. Please accept my thanks. By the way, I was also looking for the assignment service australia for buying assignments from Australia when I came across this one. I would now want to recommend that you use this site and I hope that it will be beneficial to you.