2. CONTENT
About DOM Based XSS.
• What is DOM??
• What is XSS??
• DOM Based XSS??
How DOM Based XSS works??
DOM Based XSS detection.
• General analysis.
• PhantomJS.
• Tainted PhantomJS
4. ABOUT DOM BASED XSS: WHAT IS DOM??
Definition: is a platform- and language-neutral
interface that will allow programs and scripts to
dynamically access and update the content, structure
and style of documents (As World Wide Web
Consortium (W3C))
5. ABOUT DOM BASED XSS: WHAT IS DOM??
Definition of HTML DOM: The HTML DOM is a standard object model
and programming interface for HTML. It defines:
• The HTML elements as objects
• The properties of all HTML elements
• The methods to access all HTML elements
• The events for all HTML elements.
When a web page is loaded, the browser creates a Document Object
Model of the page.
6. ABOUT DOM BASED XSS: WHAT IS DOM??
The HTML DOM model is constructed as a tree of Objects:
The HTML DOM is a
standard for how to get,
change, add, or delete
HTML elements. With the
object model, JavaScript
gets all the power it
needs to create dynamic
HTML.
7. ABOUT DOM BASED XSS: WHAT IS XSS??
Original definition: vulnerability wherein one sends malicious
data (typically HTML stuff with JavaScript code in it) that is
echoed back later by the application in an HTML context of
some sort, and the JavaScript code gets executed.
8. ABOUT DOM BASED XSS: WHAT IS XSS??
Original definition: vulnerability wherein one sends malicious
data (typically HTML stuff with JavaScript code in it) that is
echoed back later by the application in an HTML context of
some sort, and the JavaScript code gets executed.
9. ABOUT DOM BASED XSS: WHAT IS XSS??
Persistent/ Stored XSS:
the payload is stored by
the system, and may later
be embedded by the
vulnerable system in an
HTML page provided to a
victim.
10. ABOUT DOM BASED XSS: WHAT IS XSS??
Non-persistent/
Reflected XSS: the
malicious
(JavaScript)
payload is echoed
by the server in an
immediate
response to an
HTTP request from
the victim.
11. ABOUT DOM BASED XSS: DOM BASED
XSS??
DOM Based XSS: an XSS attack wherein the attack payload is
executed as a result of modifying the DOM “environment” in
the victim’s browser used by the original client side script, so
that the client side code runs in an “unexpected” manner.
13. HOW DOM BASED XSS WORKS??
The prerequisite : we must have an HTML page that uses
data from the document.location or document.URL or
document.referrer (or any various other objects which the
attacker can influence in an insecure manner).
14. HOW DOM BASED XSS WORKS??
LET’S MAKE AN
EXAMPLE!
Imagine we have an HTML
page
http://www.vulnerable.site/
welcome.html
with the content here
<HTML>
<TITLE>Welcome!</TITLE>
Hi
<SCRIPT>
var pos=document.URL.indexOf("name=")+5;
document.write (document.URL.substring
(pos, document.URL.length));
</SCRIPT>
<BR>
Welcome to our system
…
</HTML>
16. HOW DOM BASED XSS WORKS??
ANOTHER
EXAMPLE!
Imagine we have an
HTML page with that
content
<label id="searchLbl" for="search">Search</label>
<input id="search" autocomplete="off"/>
<div id="results"></div>
<script>
document.getElementById('search').addEventListener('key
press', function(e) {
var code = e.keyCode || e.which;
if (code === 13) {
document.getElementById('results').innerHTML =
document.getElementById('search').value;
}
});
</script>
19. DOM BASED XSS DETECTION: PHANTOMJS
=> PhantomJS is a browser but a headless browser.
PhantomJS is a headless WebKit scriptable with a JavaScript API.
WebKit is the layout engine that designed to allow web
browsers to render web pages. Chrome, Safari and a couple of
other browsers also use WebKit.
20. DOM BASED XSS DETECTION: PHANTOMJS
Headless web testing: lightning-fast testing without the browser.
Page automation. Access and manipulate web pages with the
standard DOM API, or with usual libraries like jQuery.
Screen capture. Programmatically capture web contents,
including CSs, SVG and Canvas.
Network monitoring. Automate performance analysis, track page
loading and export as standard HAR format.
21. DOM BASED XSS DETECTION: TAINTED
PHANTOMJS
Tainted PhantomJS (by Nera Liu): the scriptable tool for
DOM-based XSS detection. It is built based on the open
source PhantomJS by hacking the JavaScriptCore and
WebKit engine with the tainted signal.
World Wide Web Consortium (W3C), is a group development of standards for the World Wide Web , which internet browsers and web developers will follow.Môhìnhnàythểhiệntàiliệudướidạngcấutrúccâyphâncấp. Tấtcảcácthànhphầntrong HTML, XML đềuđượcxemnhưmột node). Thaotácdữliệu (manipulate data): thêm, xóa, sửadữliệu.
Kỹ thuật XSS được thực hiện dựa trên việc chèn các đoạn script nguy hiểm vào trong source code ứng dụng web. Nhằm thực thi các đoạn mã độc Javascript để thựchiện ý đồxấu.
third kind of XSS attacks - the ones that do not rely on sending the malicious data to the server in the first place!
It is not uncommon to find an application HTML page containing Javascript code that parses (phângiải)the URL line (by accessing document.URL or document.location) and performs some client side logic according to it. The below is an example to such logic.
(static!) HTML page. The victim’s browser then starts parsing this HTML into DOM. When the parser arrives to the Javascript code, it executes it and it modifies the raw HTML of the page. In this case, the code references document.URL, and so, a part of this string is embedded at parsing time in the HTML, which is then immediately parsed and the Javascript code found (alert(…)) is executed in the context of the same page, hence the XSS condition.
NOTE: This exploit only works if the browser does not modify the URL characters. Mozilla automatically encodes < and > (into %3C and %3E, respectively) in the document.URL when the URL is not directly typed at the address bar, and therefore it is not vulnerable to the attack as shown in the example. It is vulnerable to attacks if < and > are not needed (in raw form). Microsoft Internet Explorer 6.0 does not encode < and >, and is therefore vulnerable to the attack as-is. Of course, embedding in the HTML directly is just one attack mount point, there are various scenarios that do not require < and >, and therefore Mozilla in general is not immune from this attack.<div onmouseover="javascript:alert('failed!')">XSS Test</div>
In the above example, it may be argued that still, the payload did arrive to the server (in the query part of the HTTP request), and so it can be detected just like any other XSS attack. But even that can be taken care of. The string beyond # sign is a fragment, not part of an actual query, that is not sent to server. Therefore, the server will get only a query string without the malicious part of the input data. As a resuilt, many strong XSS filters at server-side do not even recognize such attacks. Since most of detectors and firewalls ignore client-side pages, they are inherently not able to detect DOM-based XSS. To handle DOM-based XSS, we need to concentrate on client-side HTML pages rather than server-side pages.
Headless browser (that is, a browser that runs without a GUI, allowing you to navigate the web and interact with web pages from your terminal). Engine trìnhduyệt
Various test frameworks such as Jasmine, Capybara, QUnit, Mocha, WebDriver and many others are supported.