Robert ‘rsnake’ Hensen is considered as Guru of XSS. Let’s learn advance DOM based attack from his own book “XSS attacks: cross-site scripting exploits and defense”
Preview of his book is available at http://books.google.com/books?id=Imt5Crr0jJcC
|Fig 1.2||Fig 1.2|
To make the user experience a bit more dynamicity, the title value of the URL’s can be updated on the fly to include different impulse-buy text
<script> var url = window.location.href; var pos = url.indexOf("title=") + 6; var len = url.length; var title_string = url.substring(pos,len); document.write(unescape(title_string)); </script>
Persistent (or HTML Injection) XSS attacks most often occur in either community contentdriven Web sites or Web mail sites, and do not require specially crafted links for execution.A hacker merely submits XSS exploit code to an area of a Web site that is likely to be visited by other users.These areas could be blog comments, user reviews, message board posts, chat rooms, HTML e-mail, wikis, and numerous other locations. Once a user visits the infected Web page, the execution is automatic.This makes persistent XSS much more dangerous than non-persistent or DOM-based, because the user has no means of defending himself. Once a hacker has his exploit code in place, he’ll again advertise the URL to the infected Web page, hoping to snare unsuspecting users. Even users who are wise to non-persistent XSS URLs can be easily compromised.
DOM-based XSS In Detail
DOM is a World Wide Web Consortium (W3C) specification, which defines the object model for representing XML and HTML structures. In the eXtensible Markup Language (XML) world, there are mainly two types of parsers, DOM and SAX. SAX is a parsing mechanism, which is significantly faster and less memory-intensive but also not very intuitive, because it is not easy to go back to the document nodes (i.e. the parsing mechanism is one way). On the other hand, DOM-based parsers load the entire document as an object structure, which contains methods and variables to easily move around the document and modify nodes, values, and attributes on the fly.
Here is a simple example of a DOM-base XSS provided by Amit Klein in his paper “Dom Based Cross Site Scripting or XSS of the Third Kind”:
<HTML> <TITLE>Welcome!</TITLE> Hi <SCRIPT> var pos=document.URL.indexOf(“name=”)+5; document.write(document.URL.substring(pos,document.URL.length)); </SCRIPT> <BR> Welcome to our system … </HTML>
If we analyze the code of the example, you will see that the developer has forgotten to sanitize the value of the “name” get parameter, which is subsequently written inside the document as soon as it is retrieved. In the following section, we study a few more DOM based XSS examples based on a fictitious application that we created.
Identifying DOM-based XSS Vulnerabilities
First, we have to create a page on the local system that contains the following code:
|Fig 1.3||Fig 1.4|
Once the page is loaded, enter your name and press the Chat button.This example is limited in that you cannot communicate with other users.We deliberately simplified the application so that we can concentrate on the actual vulnerability rather than the application design. Figure 1.4 shows the AJAX application in action.
** jQuery is a useful AJAX library created by John Resig. jQuery significantly simplifies AJAX development, and makes it easy for developers to code in a cross-browser manner.**
$(this).html('<p>Welcome ' + name + '! You can type your message into the form below.</p><textarea class="pane">' + name + ' > </textarea>');
As seen, the application composes a HTML string via JQuery’s HTML function.The html function modifies the content of the selected element.This string includes the data from the nickname input field. In our case, the input’s value is “Bob.” However, because the application fails to sanitize the name, we can virtually input any other type of HTML, even script elements, as shown on Figure 1.5
|Fig 1.5||Fig 1.6|
If you press the Chat button, you will inject the malicious payload into the DOM.This payload composes a string that looks like the following:
<p>Welcome <script>alert('xss')</script>! You can type your message into the form below.</p><textarea class="pane"><script>alert('xss') </script> > </textarea>
This is known as non-persistent DOM-based XSS. Figure 1.6 shows the output of the exploit.
Credits : Rsnake, Article already published in Rsnake's Book