Embed Size (px)
DESCRIPTION
Citation preview
DOM BASED XSS AND DETECTION
CONTENTAbout DOM Based XSS.• What is DOM??• What is XSS??• DOM Based XSS??
How DOM Based XSS works??DOM Based XSS detection.• General analysis.• PhantomJS.• Tainted PhantomJS
ABOUT DOM BASED XSS
ABOUT DOM BASED XSS: WHAT IS DOM??
Definition: is a platform- and language-neutral interface that will allow programs and scripts to dynamically access and update the content, structure and style of documents (As World Wide Web Consortium (W3C))
ABOUT DOM BASED XSS: WHAT IS DOM??
Definition of HTML DOM: The HTML DOM is a standard object model and programming interface for HTML. It defines:• The HTML elements as objects
• The properties of all HTML elements
• The methods to access all HTML elements
• The events for all HTML elements.When a web page is loaded, the browser creates a Document
Object Model of the page.
ABOUT DOM BASED XSS: WHAT IS DOM??
The HTML DOM model is constructed as a tree of Objects:
The HTML DOM is a standard for how to get, change, add, or delete HTML elements. With the object model, JavaScript gets all the power it needs to create dynamic HTML.
ABOUT DOM BASED XSS: WHAT IS XSS??
Original definition: vulnerability wherein one sends malicious data (typically HTML stuff with JavaScript code in it) that is echoed back later by the application in an HTML context of some sort, and the JavaScript code gets executed.
ABOUT DOM BASED XSS: WHAT IS XSS??
Original definition: vulnerability wherein one sends malicious data (typically HTML stuff with JavaScript code in it) that is echoed back later by the application in an HTML context of some sort, and the JavaScript code gets executed.
Just right for Stored XSS/
Reflected XSS (Persistent
XSS/Non-Persistent XSS)
ABOUT DOM BASED XSS: WHAT IS XSS??
Persistent/ Stored XSS: the payload is stored by the system, and may later be embedded by the vulnerable system in an HTML page provided to a victim.
ABOUT DOM BASED XSS: WHAT IS XSS??
Non-persistent/ Reflected XSS: the malicious (JavaScript) payload is echoed by the server in an immediate response to an HTTP request from the victim.
ABOUT DOM BASED XSS: DOM BASED XSS??
DOM Based XSS: an XSS attack wherein the attack payload is executed as a result of modifying the DOM “environment” in the victim’s browser used by the original client side script, so that the client side code runs in an “unexpected” manner.
How DOM Based XSS works??
HOW DOM BASED XSS WORKS??
The prerequisite : we must have an HTML page that uses data from the document.location or document.URL or document.referrer (or any various other objects which the attacker can influence in an insecure manner).
HOW DOM BASED XSS WORKS??
LET’S MAKE AN EXAMPLE!
Imagine we have an HTML page http://www.vulnerable.site/welcome.html with the content here
<HTML><TITLE>Welcome!</TITLE>Hi<SCRIPT>
var pos=document.URL.indexOf("name=")+5;
document.write (document.URL.substring
(pos, document.URL.length));</SCRIPT><BR>Welcome to our system…
</HTML>
http://www.vulnerable.site/welcome.html?name=Joe
http://www.vulnerable.site/welcome.html?name
=<script>alert(document.cookie)</script>
HOW DOM BASED XSS WORKS??
Let’s See Why!
HOW DOM BASED XSS WORKS??
ANOTHER EXAMPLE!
Imagine we have an HTML page with that content
<label id="searchLbl" for="search">Search</label><input id="search" autocomplete="off"/><div id="results"></div><script> document.getElementById('search').addEventListener('keypress', function(e) { var code = e.keyCode || e.which; if (code === 13) { document.getElementById('results').innerHTML =
document.getElementById('search').value; } });</script>
DOM BASED XSS DETECTION
DOM BASED XSS DETECTION: GENERAL ANALYSIS
Consider the following attack:
http://www.vulnerable.site/welcome.html#name=<script>alert(document.cookie)<scri
pt>
Fragment
DOM BASED XSS DETECTION: PHANTOMJS
=> PhantomJS is a browser but a headless browser.
PhantomJS is a headless WebKit scriptable with a JavaScript API.WebKit is the layout engine that designed to allow web
browsers to render web pages. Chrome, Safari and a couple of other browsers also use WebKit.
DOM BASED XSS DETECTION: PHANTOMJS
Headless web testing: lightning-fast testing without the browser.Page automation. Access and manipulate web pages with the
standard DOM API, or with usual libraries like jQuery. Screen capture. Programmatically capture web contents,
including CSs, SVG and Canvas. Network monitoring. Automate performance analysis, track page
loading and export as standard HAR format.
DOM BASED XSS DETECTION: TAINTED PHANTOMJS
Tainted PhantomJS (by Nera Liu): the scriptable tool for DOM-based XSS detection. It is built based on the open source PhantomJS by hacking the JavaScriptCore and WebKit engine with the tainted signal.
Reference:• http://securitydaily.net/cac-kieu-khai-thac-xss-phan-3-dom-based-xss• http://www.webappsec.org/projects/articles/071105.shtml• https://www.blackhat.com/docs/asia-14/materials/Liu/Asia-14-Liu-Ultimate-Dom-
Based-XSS-Detection-Scanner-On-Cloud.pdf• http://www.chmag.in/article/aug2010/advance-xss-attacks-dom-based• http://www.acunetix.com/websitesecurity/improving-dom-xss-vulnerabilities-
detection• https://code.google.com/p/domxsswiki/wiki/• http://blog.spiderlabs.com/2013/02/easy-dom-based-xss-detection-via-regexes.html• http://ben-stock.de/2013/09/summary-of-our-ccs-paper-on-dom-based-xss/• http://blog.spiderlabs.com/2013/02/easy-dom-based-xss-detection-via-regexes.html• https://code.google.com/p/ra2-dom-xss-scanner/• http://www.slideshare.net/ErolSelitektay/introduction-to-phantomjs• http://code.tutsplus.com/tutorials/testing-javascript-with-phantomjs--net-
28243#disqus_thread
THANKS FOR WATCHINGTHE END
![Introduction to XSS attacks - ENSIMAG...Web based vulnerabilities XSS - Cross-Site scripting Reflected XSS / type 1 attack 12 12[IBM 2002] Cross-site scripting Fabien Duchene, Karim](https://img.pdfslide.us/doc/110x75/5fb33b1cb92fe02b6b65501e/introduction-to-xss-attacks-ensimag-web-based-vulnerabilities-xss-cross-site.jpg)
