Web9: XSS Exploits - Part 3: Dom Based XSS
We have mentioned about 2 types of XSS exploits, reflected and stored, they both have the common feature that dangerous pieces of code after being inserted will be executed after the server's response, which means that the error is on the side. server. There is another type of XSS exploit that goes against this feature, malicious code that is executed immediately upon client-side processing without going through the server, known as DOM Based XSS aka Type 0 XSS.
First of all we need to know what is DOM?
DOM stands for Document Object Model is a standard form of W3C (http://www.w3.org/DOM/) provided to access and manipulate data of structured documents such as HTML, XML. This model represents documents as a hierarchical tree structure. All elements in HTML, XML are considered as a node.
DOM Based XSS is a technique to exploit XSS based on changing the DOM structure of the document, specifically HTML.
Let's take a look at a specific example:
A website has the following URL to the registration page:
example.com/register.php?message=Please fill in the form
When we access it, we see a very normal Form:
It is easy to deduce the message parameter passed to the message body on the form, look closely at the source code of this message:
The JavaScript snippet is responsible for taking the value from the message parameter and printing it out. From this lax input checking, it is possible to trick users into accessing dangerous URLs.
Instead of casting:
message=Please fill in the form
then transmit:
message=GenderMaleFemale function show(){alert();}
Then the registration form will become like this:
The user will have no doubts with a 'normal' form like this, and when selecting the gender, the Script will be executed:
I'll explain a bit more about the value passed to the message parameter:
GenderMaleFemale function show(){alert();}
Its main purpose is to execute the show() function every time there is an onchage event on the select tag, the show() function here simply pops up a popup to show that the script has been executed. However, in practice, hackers will often use this show() function to execute a script that transfers the user cookie value to a predetermined server, readers can review the article Reflected XSS which mentions how hackers create How is this request?
This example gives us two important conclusions. First, the malicious code was executed as soon as the value in the select tag was clicked, ie executed on the client side without going through the server's response. Second, the HTML structure has been changed with the script passed in. And can also see the actual exploit scenario, DOM Based is somewhat similar to Reflected than Stored XSS when it has to trick users into accessing a URL that has embedded malicious code.
The following figure shows step-by-step implementation of the DOM Based XSS attack technique:
Good luck!
You should read it
- Protect yourself against IE security holes
- Exploding bank code
- Web6: SQL Injection - Some Exploit Tools
- Metasploit - Tool to exploit vulnerabilities
- Warning of phishing attacks based on fake Zoom meetings
- Millions of Android devices stick with security holes in firmware, hackers can exploit to lock users' machines
- Web3: SQL injection - Exploit directions
- Discover new Zero-Day vulnerabilities that target bugs in Windows 10 Task Scheduler
May be interested
- Top 5 blockchain-based storage platformsthe advent of blockchain-based storage technology creates solutions to these challenges, primarily stemming from the centralization of data storage.
- 7 best Linux distributions based on Red Hatred hat became the largest open source company in the world before it was acquired by ibm, and red hat enterprise linux was its main product.
- How to Run GUI-Based Applications in Dockerdocker is typically used for server-side and command-line applications. however, with the right setup, you can also run gui-based applications inside containers.
- Learn about Permission and Role Based Access Control - RBAC (part 1)in essence, microsoft exchange server 2010 has been improved and integrated with new role based access control - rbac, and this model has provided users with more ways to monitor and initialize like assigning rights to different admin accounts. and these assigned roles will respond
- Microsoft Windows Power Shell and SQL Server 2005 SMO - Part 4part i and part ii of this series showed simple power shell settings, smo and wmi cmdlets. part iii instructs writing powershell and connecting to sql server. part 4 will show you how to use powershell code to iterate file content and connect to other servers.
- 5 best Ubuntu-based Linux distributions of all timeubuntu, a debian-based linux operating system, has been around since 2004; since then, some great distributions based on ubuntu's source code have been created.
- How to change account password in Windows 11despite microsoft's efforts to push more users to use windows hello-based sign-in options, the old password-based login is still part of windows 11. and for a good reason.
- 7 Best Firefox-Based Web Browsersdid you know that there are also web browsers based on firefox and some of them are worth trying?
- How to Be Good at Artart is part craft, part creativity, and part business. to become a better artist, you need to both connect yourself to experts who can teach you advanced techniques, develop an original style, and figure out how to make the money necessary...
- Upgrade Windowsyou think windows is powerful and handy based solely on what microsoft offers? true but only in a very small part, because this 'glamorous' operating system always receives countless gifts and features