Web9: XSS Exploits - Part 3: Dom Based XSS

We have mentioned about 2 types of XSS exploits, reflected and stored, they both have the common feature that dangerous pieces of code after being inserted will be executed after the server's response, which means that the error is on the side. server. There is another type of XSS exploit that goes against this feature, malicious code that is executed immediately upon client-side processing without going through the server, known as DOM Based XSS aka Type 0 XSS.

First of all we need to know what is DOM?

DOM stands for Document Object Model is a standard form of W3C (http://www.w3.org/DOM/) provided to access and manipulate data of structured documents such as HTML, XML. This model represents documents as a hierarchical tree structure. All elements in HTML, XML are considered as a node.

DOM Based XSS is a technique to exploit XSS based on changing the DOM structure of the document, specifically HTML.

Let's take a look at a specific example:

A website has the following URL to the registration page:

example.com/register.php?message=Please fill in the form

When we access it, we see a very normal Form:

Web9: XSS Exploits - Part 3: Dom Based XSS Picture 1

It is easy to deduce the message parameter passed to the message body on the form, look closely at the source code of this message:

Web9: XSS Exploits - Part 3: Dom Based XSS Picture 2

The JavaScript snippet is responsible for taking the value from the message parameter and printing it out. From this lax input checking, it is possible to trick users into accessing dangerous URLs.

Instead of casting:

message=Please fill in the form

then transmit:

message=GenderMaleFemale function show(){alert();}

Then the registration form will become like this:

Web9: XSS Exploits - Part 3: Dom Based XSS Picture 3

The user will have no doubts with a 'normal' form like this, and when selecting the gender, the Script will be executed:

Web9: XSS Exploits - Part 3: Dom Based XSS Picture 4

I'll explain a bit more about the value passed to the message parameter:

GenderMaleFemale function show(){alert();}

Its main purpose is to execute the show() function every time there is an onchage event on the select tag, the show() function here simply pops up a popup to show that the script has been executed. However, in practice, hackers will often use this show() function to execute a script that transfers the user cookie value to a predetermined server, readers can review the article Reflected XSS which mentions how hackers create How is this request?

This example gives us two important conclusions. First, the malicious code was executed as soon as the value in the select tag was clicked, ie executed on the client side without going through the server's response. Second, the HTML structure has been changed with the script passed in. And can also see the actual exploit scenario, DOM Based is somewhat similar to Reflected than Stored XSS when it has to trick users into accessing a URL that has embedded malicious code.

The following figure shows step-by-step implementation of the DOM Based XSS attack technique:

Web9: XSS Exploits - Part 3: Dom Based XSS Picture 5

Good luck!

4 ★ | 2 Vote

May be interested

  • Top 5 blockchain-based storage platformsTop 5 blockchain-based storage platforms
    the advent of blockchain-based storage technology creates solutions to these challenges, primarily stemming from the centralization of data storage.
  • 7 best Linux distributions based on Red Hat7 best Linux distributions based on Red Hat
    red hat became the largest open source company in the world before it was acquired by ibm, and red hat enterprise linux was its main product.
  • How to Run GUI-Based Applications in DockerHow to Run GUI-Based Applications in Docker
    docker is typically used for server-side and command-line applications. however, with the right setup, you can also run gui-based applications inside containers.
  • Learn about Permission and Role Based Access Control - RBAC (part 1)Learn about Permission and Role Based Access Control - RBAC (part 1)
    in essence, microsoft exchange server 2010 has been improved and integrated with new role based access control - rbac, and this model has provided users with more ways to monitor and initialize like assigning rights to different admin accounts. and these assigned roles will respond
  • Microsoft Windows Power Shell and SQL Server 2005 SMO - Part 4Microsoft Windows Power Shell and SQL Server 2005 SMO - Part 4
    part i and part ii of this series showed simple power shell settings, smo and wmi cmdlets. part iii instructs writing powershell and connecting to sql server. part 4 will show you how to use powershell code to iterate file content and connect to other servers.
  • 5 best Ubuntu-based Linux distributions of all time5 best Ubuntu-based Linux distributions of all time
    ubuntu, a debian-based linux operating system, has been around since 2004; since then, some great distributions based on ubuntu's source code have been created.
  • How to change account password in Windows 11How to change account password in Windows 11
    despite microsoft's efforts to push more users to use windows hello-based sign-in options, the old password-based login is still part of windows 11. and for a good reason.
  • 7 Best Firefox-Based Web Browsers7 Best Firefox-Based Web Browsers
    did you know that there are also web browsers based on firefox and some of them are worth trying?
  • How to Be Good at ArtHow to Be Good at Art
    art is part craft, part creativity, and part business. to become a better artist, you need to both connect yourself to experts who can teach you advanced techniques, develop an original style, and figure out how to make the money necessary...
  • Upgrade WindowsUpgrade Windows
    you think windows is powerful and handy based solely on what microsoft offers? true but only in a very small part, because this 'glamorous' operating system always receives countless gifts and features