Cross-site Scripting (XSS) - English: Click
Definition
DOM Based XSS (or as it is called in some texts, type-0 XSS) is an XSS attack wherein the attack payload is executed as a result of modifying the DOM environment in the victims browser used by the original client side script, so that the client side code runs in an unexpected manner. That is, the page itself (the HTTP response that is) does not change, but the client side code contained in the page executes differently due to the malicious modifications that have occurred in the DOM environment.
This is in contrast to other XSS attacks (stored or reflected), wherein the attack payload is placed in the response page (due to a server side flaw).
Example
Suppose the following code is used to create a form to let the user choose his/her preferred language. A default language is also provided in the query string, as the parameter default.
The page is invoked with a URL such as:
A DOM Based XSS attack against this page can be accomplished by sending the following URL to a victim:
When the victim clicks on this link, the browser sends a request for:
to www.some.site. The server responds with the page containing the above Javascript code. The browser creates a DOM object for the page, in which the docu ment.loca tion object contains the string:
The original Javascript code in the page does not expect the default parameter to contain HTML markup, and as such it simply echoes it into the page (DOM) at runtime. The browser then renders the resulting page and executes the attackers script:
Note that the HTTP response sent from the server does not contain the attackers payload. This payload manifests itself at the client-side script at runtime, when a flawed script accesses the DOM variable docu ment.loca tion and assumes it is not malicious.
Advanced Techniques and Derivatives
In the example above, while the payload was not embedded by the server in the HTTP response, it still arrived at the server as part of an HTTP request, and thus the attack could be detected at the server side.
The technique to above sending the payload to the server hinges on the fact that URI fragments (the part in the URI after the #) is not sent to the server by the browser. Thus, any client side code that references, say, docu ment.loca tion, may be vulnerable to an attack which uses fragments, and in such case the payload is never sent to the server. For example, the above DOM based XSS can be modified into:
which mounts the same attack without it being seen by the server (which will simply see a request for page.html without any URL parameters).
Since the Javascript is executed in the context (DOM) of the current site, all an attacker needed to exploit this flaw was to simply find a PDF link somewhere on the site for the XSS condition to be met. If the attacker then tricked a user into clicking on (or submitting) a link like:
then a victim using an un-patched Acrobat reader would succumb to the attack. Adobe patched their reader after they were made aware of this flaw, but if not all users have downloaded the patch then those users are still vulnerable to this type of attack.
Source: OWASP
Definition
DOM Based XSS (or as it is called in some texts, type-0 XSS) is an XSS attack wherein the attack payload is executed as a result of modifying the DOM environment in the victims browser used by the original client side script, so that the client side code runs in an unexpected manner. That is, the page itself (the HTTP response that is) does not change, but the client side code contained in the page executes differently due to the malicious modifications that have occurred in the DOM environment.
This is in contrast to other XSS attacks (stored or reflected), wherein the attack payload is placed in the response page (due to a server side flaw).
Example
Suppose the following code is used to create a form to let the user choose his/her preferred language. A default language is also provided in the query string, as the parameter default.
Kod:
Select your language:
<select><script>
docu ment.write("<OPTION value=1>"+docu ment.loca tion.href.substring(docu ment.loca tion.href.indexOf("default=")+8)+"</OPTION>");
docu ment.write("<OPTION value=2>English</OPTION>");
</script></select>
Kod:
http://www.some.site/page.html?default=French
Kod:
http://www.some.site/page.html?default=<script>alert(docu ment.cookie)</script>
Kod:
/page.html?default=<script>alert(docu ment.cookie)</script>
Kod:
http://www.some.site/page.html?default=<script>alert(docu ment.cookie)</script>
Kod:
alert(docu ment.cookie)
Note that the HTTP response sent from the server does not contain the attackers payload. This payload manifests itself at the client-side script at runtime, when a flawed script accesses the DOM variable docu ment.loca tion and assumes it is not malicious.
Advanced Techniques and Derivatives
In the example above, while the payload was not embedded by the server in the HTTP response, it still arrived at the server as part of an HTTP request, and thus the attack could be detected at the server side.
The technique to above sending the payload to the server hinges on the fact that URI fragments (the part in the URI after the #) is not sent to the server by the browser. Thus, any client side code that references, say, docu ment.loca tion, may be vulnerable to an attack which uses fragments, and in such case the payload is never sent to the server. For example, the above DOM based XSS can be modified into:
Kod:
http://www.some.site/page.html#default=<script>alert(docu ment.cookie)</script>
which mounts the same attack without it being seen by the server (which will simply see a request for page.html without any URL parameters).
Since the Javascript is executed in the context (DOM) of the current site, all an attacker needed to exploit this flaw was to simply find a PDF link somewhere on the site for the XSS condition to be met. If the attacker then tricked a user into clicking on (or submitting) a link like:
Kod:
http://www.some.site/somefile.pdf#somename=javascript:attackers_script_here
Source: OWASP