Blog

Sunday 29 October 2017

JavaScript Dangerous Functions (Part 2) - DOM Based XSS

1. Introduction to DOM Based Cross-Site Scripting


DOM Based XSS is an attack wherein the attack payload is executed as a result of modifying the DOM “environment” in the victim’s browser. These modifications  are usually performed by client side scripts.

In the case of a DOM XSS vulnerability the HTTP response sent by the server is not different from the normal execution of the application, but the payload injected from the attacker executes only in the browser of the victim.

This behavior is different from other XSS attacks (Stored or Reflected), where the attack payload is contained in the response page (due to a server side flaw).

In the following example of OWASP code, "document.location.href" or "document.write" may appear not to be harmful, but depending on their use, they can lead to a DOM XSS vulnerability. 

[..]
Select your language:


[..]
Indeed, the "document.location.href" property is a Source because it can be controlled by the user through the input in the GET request (lang=[user-controlled-input]). On the opposite side, "document.write" is considered a Sink, because this is a function that could be abused to cause security issues. This kind of flow in the code can generate a DOM related vulnerability.
Using the following request it is possible to exploit the above DOMXSS:

      http://www.example.tld/page.html?lang=<script>alert(document.cookie)</script>

When the victim clicks on this link, the browser sends a request for:

/page.html?lang=<script>alert(document.cookie)</script>
The server replies with the page containing the above JavaScript code.
The browser creates a DOM object for the page, in which the document.location object contains the string:

      http://www.example.tld/page.html?lang=<script>alert(document.cookie)</script>

The original JavaScript code in the page does not expect the “lang” parameter to contain HTML markup, and therefore it simply echoes it into the page (DOM) at runtime.

The browser then renders the resulting page and executes the attacker’s script:

alert(document.cookie)
Note that the HTTP response sent from the server does not contain the attacker’s payload, because the payload itself is executed only at the Client-side level.


2. BlueClosure Detection of DOM Based Cross-Site Scripting


The BlueClosure BCDetect product (https://www.blueclosure.com) can easily detect DOM HTML Injection vulnerability in web pages.
In this part of the article we are going to see how it is possible to use BCDetect in order to identify a DOM XSS vulnerability and perform a detailed analysis of it.

Let’s begin with a simple example (in the next articles we will explain the Detection and Exploiting phases of much more complex examples aimed toward more advanced readers).

Once BCDetect instance has started, we can visit the website domxss.com (this service is hosted from MindedSecurity in order to practice DOM related vulnerabilties. It offers various sections with different kinds of vulnerabilities). When opening the following page (
http://www.domxss.com/domxss/01_Basics/00_simple_noHead.html) with BCDetect, the user is prompted with a pop-up window showing a potential vulnerability in the JavaScript code of the page as shown in the following screenshots:

 
The popup alerts the user with the Summary view which includes alerts, warning and informational issues found in the page; Clicking on an issue it shows the specific data of the vulnerability through the dedicated BCDetect browser window, as shown in the following screenshot:


This window can be considered as a "point of reference" which shows all the possible issues, warnings or information previously found while browsing the target website.

Looking at the vulnerability pane, we can infer that the issue is categorized as an Alert and it could be a potential High Risk vulnerability (BCDetect makes a great effort  to minimize False-positives, but this will be the subject for a later article). So let's examine the HTML Injection previously pointed out.

The following snippet shows the source code of the page that BCDetect analyzed at runtime:

<script>
 var pos = document.URL.indexOf("name=") + 5;
 var r = '' + 
  document.URL.substring(pos, document.URL.length) + 
 ''
 document.write(unescape(r));
</script>
As shown above, the string is retrieved from the "name=" parameter which is not filtered in any way, nor in input via document.URI neither in output via document.write.
In order to better investigate the vulnerability, we can simply click on the related box and a detailed "history" window will appear below it. This window will contain all the information  that led to the discover of the vulnerability itself.
  

As shown in the above image, the window contains the categorization of the vulnerability, it shows if the issue is Exploitable or not, if the data is Encoded or Not Encoded. It also highlights the user's controllable value and the vulnerable code, identified by the engine of BCDetect.

By clicking the link "Show operations", there are a couple of features that give us the ability to have more information about the vulnerability going through the specific low-level information  (Inside the box History -> Flow #N and Show Operations).

For instance:


These are the main points to understand how to perform the Detection phase with BCDetect and conduct a smart analysis of the issue.


2.1 BlueClosure Exploiting a DOM Based Cross-Site Scripting


In the previous section we saw how BCDetect was able to identify an HTML injection issue in real-time and how to exploit it (in the user's client context).

Let 's consider the example we were using in the detection phase and type the following request in our browser:

      http://www.domxss.com/domxss/01_Basics/00_simple_noHead.html?#name=<script>alert(document.cookie)</script>

We will see that the page shows an alert popup containing the user's cookie values as shown in the following screenshot​.



Using more advanced payloads, an attacker can steal the cookies and try to impersonate the victim.  

Even during the exploiting phase, BCDetect will report us through the popup notifications which as usual contains the type of vulnerability and the information about it, as can be seen in the the following screenshot:

27 comments :

  1. I am glad, that you informed people about these dangerous functions. Although, I am also working with Java, I didn't know, that such functions are allowed.

    ReplyDelete
    Replies
    1. This reflective and well authorized BC Detect was able to identify an HTML injection issue, is also a effective thing using in JavaScript these days, but there are also very beneficial and well authorized UAE Assignment writing help services available in all over the Emirate for helping the new learners and students perfectly thesedays.

      Delete
  2. Oh, come on! I know, but this is not always like this! You better to stop waste your time and money and check this beautiful service for essay and homework! This guys personal statement for nursing school really know how to do it and you will be so happy about it! So write them write write thesis for me and be ready to win! Good luck, have fun!

    ReplyDelete
  3. It's good to see you, essay shark scam ?! No! We also assure you of a refund if you get subpar an assignment from an assistant here. You are free to make a refund request whenever you feel like what you paid for has not been met. We process and return all refund money swiftly.

    ReplyDelete
  4. In my last essay, I discussed some of the problematic JavaScript methods that might lead to DOM-based XSS vulnerabilities. In this piece, I'll discuss some of the most risky functions and how to prevent them.

    ReplyDelete
  5. I should be more upset by the title of this article or the substance. In any case, it's a bad piece that isn't even accurate. Golf outfit women are not risky, nor are JavaScript Dangerous Functions.

    ReplyDelete
  6. I like your post this is very interesting information about JavaScript Dangerous Functions (Part 2) - DOM Based XSS. Because this is a very unique fact Being a student who values this kind of information, I am grateful that I came to your website today looking for OXFORD STYLE REFERENCING service. If you're a student and ever need homework help, I recommend that you go to this website.

    ReplyDelete
  7. Leather jackets are a great way to add a touch of style to your look and they can also keep you warm in cooler weather.

    ReplyDelete
  8. All 5 sites included on this evaluate have minimal of|no less than} four.four of 5 scores and don't seem to have purchased any of their testimonials. The scores of the most-followed matches across well-liked championships are pinned on the site as well, providing you with the knowledge you would possibly must make future betting selections. Here, you’ll get to take pleasure in numerous top-tier, provably truthful video games, similar to Wood Landers, Golden Dragon Inferno, Captain’s Quest - Treasure Island, Book of Helios, heaps of|and lots of} more. This often a|could be a} progressive jackpot involving a single game or a multi-game version where many video games are linked collectively 온라인 카지노 in a single jackpot reward. On the customer service front, they provide 24/7 buyer help through email, contact kind, and reside chat.

    ReplyDelete
  9. I performed eight thousand dollars in 5 hours between three casinos on the Las Vegas strip 아벤카지노 and lost all of it. No matter how fortunate or skilled the player is, the operator has assured revenue. New themed slots are frequently printed in connection with movie or television releases, music releases, and sure holidays, so you can to|you presumably can} imagine how many of} alternate options are available. We've compiled a list of the most popular slot themes and the video games that symbolize them. Every slot sport has a theme, whether or not it is easy as|so easy as} a standard slot theme or as sophisticated as a movie-themed slot sport.

    ReplyDelete
  10. I would not recommend using any of the "dangerous" functions in JavaScript. They can cause unexpected results and can be difficult to debug. It is better to use safer functions that are well-documented and have been tested.
    Pay Someone To Take Online Class For Me

    ReplyDelete
  11. In my last essay, I discussed some of the problematic JavaScript methods.

    ReplyDelete
  12. It's a wonderfully motivational piece, and if any readers appreciate reading motivational and educational information, I've heard of a service called Best assignment help services in newcastle. Although it is an educational website, it also provides the best reading material.

    ReplyDelete
  13. Due to flaw from server side, attack is performed on main page. May be important page will damaged or loss important information. Many software is available that protect system from attacker.

    ReplyDelete
  14. JavaScript is a powerful programming language, and while it can be used to create powerful applications, it is important to be aware of the potential dangers of certain functions. It is important to understand what these dangerous functions are and how to use them safely.

    ReplyDelete
  15. JavaScript is a high-level, interpreted programming language primarily used for web development. It allows developers to create dynamic and interactive web applications by adding interactivity, behavior, and functionality to web pages. JavaScript is a client-side scripting language, which means it runs on the user's web browser and is executed on the user's computer, enabling it to interact with the web page in real-time without needing to communicate with the server.Iam a professional content writer and I have provide the best online ghostwriters for hire near me service to the students to secure a good marks at thier academic carrier.

    ReplyDelete
  16. wow, this is the nice and very imformative article and this is very helpful for developers and I will share this with my all developers friends.

    ReplyDelete
  17. Part 2 of "JavaScript Dangerous Functions" explores the realm of DOM-based Cross-Site Scripting (XSS), shedding light on the sophisticated vulnerabilities that can arise. In this ever-evolving digital landscape, understanding the intricacies of DOM-based XSS is essential for developers and security professionals alike. This insightful series delves into the depths of JavaScript, highlighting potential risks and providing valuable insights to fortify web applications against these threats. Stay informed and stay secure – a necessity in today's interconnected world where safeguarding data and user experiences is paramount.

    ReplyDelete
  18. Understanding JavaScript's risky functions is crucial, especially when developing web applications. Vulnerabilities like injection attacks can stem from these functions. Considering this, when seeking a Write My Dissertation Service, it's vital to choose one with a secure platform and skilled developers. Awareness of these dangers ensures safer online experiences for users and protects vital academic work.

    ReplyDelete
  19. I read your blog and try to learn new leanguage. JavaScript is programming language and I don't know, who to use JavaScript function. I have experience in 'college assignment help' in the UK.

    ReplyDelete
  20. Experience superior optics with our Professional binoculars, crafted for precision and clarity. Boasting an 80mm objective lens, these binoculars deliver exceptional light-gathering capabilities, ensuring vivid and detailed views even in low-light conditions. The advanced prism and lens coatings enhance image brightness and colour fidelity, providing a and immersive viewing experience.

    Designed for professionals who demand excellence, our binoculars combine durability with ergonomic design for extended use. Whether you're a wildlife enthusiast, outdoor adventurer, or sports spectator, trust our 80mm professional binoculars to elevate your viewing to new heights.

    ReplyDelete
  21. Insightful breakdown of DOM-Based XSS vulnerabilities and a practical guide on detection using BlueClosure BCDetect. The step-by-step analysis and exploitation demonstration provide valuable knowledge for web security enthusiasts.
    New York Divorce Laws Adultery

    ReplyDelete
  22. Understanding DOM Based Cross-Site Scripting (XSS) is crucial in enhancing web security. Unlike other XSS attacks, DOM XSS occurs when the attack payload manipulates the client-side environment in the victim's browser. To fortify your web applications against such vulnerabilities, consider integrating robust security measures, including thorough backend development services in the US, to ensure a secure and resilient online presence.





    ReplyDelete
  23. In "JavaScript Dangerous Functions (Part 2) - DOM Based XSS," we delve into the risks lurking in certain JavaScript functions. However, JavaScript itself remains an invaluable tool for web development, empowering dynamic and interactive user experiences.

    ReplyDelete
  24. Javascript dangerous functions DOM based XSS teaches us how to keep websites safe from harmful attacks. It's like how microsoft 365 services keep our data secure. By learning about these dangerous functions, we can make sure our websites are protected. Stay safe online by understanding these risks and using tools like microsoft 365 services to stay secure.

    ReplyDelete