What Is DOM Based XSS

MRunal

Jul 25, 2019·3 min read

Index :

DOM Based XSS
JS Sources & Sinks
Analysis of interesting examples
DOMinator
Some stats

DOM Based XSS

JavaScript objects are loosely typed.

If we just want to pass an existence check we can substitute an iframe window for a normal object
OWASP DOM Based Xss: https://www.owasp.org/index.php/DOM_Based_XSS
DOMXss Wiki https://code.google.com/p/domxsswiki/wiki/Index

Code Flow & Terminology

Sources: the input data that can be directly or indirectly controlled by an attacker.
Filters: operations on Sources which change the content or check for specific structures/values.
Sinks: potentially dangerous functions the can be abused to take advantage of some kind of exploitation.

Input Sources

 Everything taken from the URL: document.URL document.URLUnencoded document.location (.pathname|.href|.search|.hash) window.location (.pathname|.href|.search|.hash)
The Referrer: document.referrer
The window name: window.name

Input Sources

Input Sources
document.cookie

HTML5 postMessagearg.data
window.dialogArguments(whenwindowisopenedwithwindow.showModalDialog)

CssDOM Injection getsensitive values

Css3 Attribute Selectorhttp://www.w3.org/TR/css3-selectors/#attribute-selectorsa[href=a] { … }
Css3 Attribute Substring Matchinghttp://www.w3.org/TR/css3-selectors/#attribute-substrings[att^=val]:Represents an element with the attattribute whose value begins with the prefix “val”.[att$=val]:Represents an element with the attattribute whose value ends with the suffix “val”.[att*=val]:Represents an element with the attattribute whose value contains at least one instance of the substring “val”

HTML 5

Cross Origin Request could be abused.varurl=“/profilePages”varxhr=new XMLHttpRequest();xhr.open(„GET‟,getQueryParam(„debugPage‟)||url,true);

Facebookissue #!/profileNamevarxhr=new XMLHttpRequest();xhr.open(„GET‟,location.hash.slice(2),true);Attacker just needs to add Access-Control-Allow-Origin: * to the response

Absolute URLs

ClassicsFilters–EncodingDifferences

Flow Control

Checks for opener, parent, topexistence can be fooled.

If(parent.frameMessage!=“sync”){addEventListener(“message”, function(d){document.write(‘..’+d.data+’…’)},true);} else{document.write(‘constantData’)}

Race Conditions –Time of Check to Time of Use.

If(window.name.match(/^[a-z]*=[0–9]*$/)){eval(window.name);}

BrowsersCountermeasures

3400 top site results in a number of :1Using the X-Content-Security-Policy with the following content

Methodology

Find the Sources using the following RegExp:

Find the Sinks using the following RegExp:(all Regexp© by Mario Heiderich)

Now you get the sources & sinks and finally you can follow the flow on code like the following.

Methodology … ?

Javascriptis not that easy to analyze!
Code can be Compressed (function (p,a,c,k,e,d){…..})()
Obsfuscatedc=„‟, eval(unescape(“%u0540%u0556%u054C%u0519%u054E%u0550%u0557%u0518”).split(‘’ ).map(function(a){ c+=String.fromCharCode((a.charCodeAt(0)¹³³⁷))}))
Or simply sla.ckers.ed:this.__parent__.[„l‟+0x6f+‟c‟+0x61+‟tion‟]

Possible Solutions

Static Analyzer:Pro: Very good at finding flows if well implemented. Very fast.Contra: the problems of every Static Analyzer: KB, reflection, runtime evaluation, lot of False Positives + False Negatives etc.

Script Injection to wrap sources and Sinks:Pro: use native interpreter so no problem with obfuscation/compressionContra: Cannot follow the flow.

Runtime Analysis with Dynamic Tainting:Pro: Uses native interpreter so no problem with obfuscation/compression, can follow the flow. Contra: doesn‟t look at alternative paths. Just propagates the taint flag. No tracking of operations. (mostly used for defense like on perltainting or php)

My Solution: DOMinator

DOMinator

DOMinator is a tool for analyzing and identifying DOM Xss.Modified version of SpiderMonkey(JS Engine) to add Dynamic Tainting and perform Taint propagation Tracing.
Modified version of Firefox to add taint propagation to DOM Attributes and chrome methods.
Extension for Log Monitoring and runtime analysis.