Documentation - DOM-Based XSS

Cross Site Scripting, or XSS, is the most present vulnerability on the web, by far. It is referred to by many names, among which “Golden Book vulnerability”, simply because these have allowed a generalization of these vulnerabilities. The XSS flaw is characterized by a possible injection of arbitrary code into the HTML code that will be rendered to the browser. In other words, the attacker will be able to modify an aspect of the site or to inject scripts in what the victim will then see on the screen.

Prerequisites

To understand the whole article, you will need:

• Know HTML
• Know the basics of Javascript
• Know what an XSS is

What is DOM?

The Document Object Model (DOM) is a programming interface standardized by the W3C, which allows scripts to examine and modify the content of the web browser. The DOM can be used to change the color of text when a button is clicked, or to make certain parts of the page visible or invisible depending on user actions.

The DOM is represented by the variable document.

Definition

A DOM-based XSS occurs when user input is placed directly into the JavaScript code of a page. This injection is therefore done without using HTML tags.

Exploitation

Let’s take for example a page that gets the user input and multiplies it by 10.

Here is the code of the page:

<script>
var number = <entrée utilisateur>;

var result = number * 10;

console.log('The result is ' + result);
</script>

Here the variable “number” stores the user input which will be multiplied by 10 afterward. The problem with this script is that if we enter something other than a number, for example hello, we will get the error {{undefined}} in the console. This means that our input is interpreted as JavaScript code.

On peut donc entrer une fonction qui sera appelée par la variable, par exemple alert(1) ou des payloads plus complexes. À partir de là on peut facilement faire une redirection et voler les cookies d’autres utilisateurs. :)

Small tips for DOM-based XSS

Look at the rendering of your input on the source code.

On this kind of flaw, we have the possibility to visualize our actions and the repercussions they have. For example, check that quotation marks have been dropped.

Look at the errors displayed by your browser’s console.

Errors allow us to understand many things about the code, and often in this kind of XSS errors are a good sign! It means that we managed to make the site do things that were not initially planned. Looking at the errors is therefore essential.

References

• https://portswigger.net/web-security/cross-site-scripting
• https://portswigger.net/web-security/cross-site-scripting/cheat-sheet
• https://owasp.org/www-community/attacks/DOM_Based_XSS