A Beginner Guide to DOM Based XSS
What is DOM?
DOM XSS stands for Document Object Model-based Cross-site Scripting. A DOM-based XSS attack is possible when the web application writes data to the DOM without proper sanitization. Its interface gives developers the ability to access the web application and manipulate it by executing operations. The attacker can manipulate the data to include XSS content on the web page. For example, malicious JavaScript code. The most popular objects used in XSS are document.url, document.location etc. DOM based XSS doesn’t come from the Server side. Now-a-days most of the sites are affected for DOM Based XSS vulnerability. Some big profile companies are also affected from DOM Based XSS.
Example for DOM based XSS Attack
Normally, Web page looks like the link attached below. http://www.vulnerable.site/welcome.html?name=Shiva The web page below has an XSS tag induced in it. http://www.vulnerable.site/welcome.html?name=<script>alert(document.cookie)</script>
After the XSS code is injected in the webpage, then it is easy to exploit using DOM based XSS to steal the cookies from the user browser and you can change the web application however you want.
Sources
- referrer
- URL
- location
- href
- search
- hash
Sinks
- eval
- setTimeout
- setInterval
- write
- innerHTML
Prevention:
🡪The main rule that you must do to prevent DOM XSS is sanitizing the untrusted data.
🡪DOM XSS attacks are hard to find from the server-side, because malicious links do not reach the server side. So, It occurs mainly on the client side.
🡪The only difference is that in the case of DOM XSS when compared to reflected/stored based XSS is, you must review and sanitize client-side code, not server-side code.
🡪Avoid using data received from the client-side for sensitive actions.
🡪Sanitize client-side code by checking DOM objects that pose a threat, for example, URL, location, and referrer. This is especially important if DOM can be modified.
🡪If you want to use user input on your webpage then use only “text” format, do use the HTML tags.
🡪Avoid using methods like document.innerHTML and document.textContent
🡪This type of user input will affect DOM elements in document.url and document.location.
🡪The application might be vulnerable for both reflected/stored XSS and DOM XSS.
🡪The given below link is find the DOM based XSS prevention cheat sheet.
https://cheatsheetseries.owasp.org/cheatsheets/DOM_based_XSS_Prevention_Cheat_Sheet.html
Shiva Ram Krishna
Security Enthusiast, Constant Learner & Cyber Security Blogger