DOM based XSS

Share on :

DOM Based XSS (or as it is called in some texts, “type-0 XSS”) is an XSS attack wherein the attack payload is executed as a result of modifying the DOM “environment” in the victim’s browser used by the original client side script, so that the client side code runs in an “unexpected” manner. That is, the page itself (the HTTP response that is) does not change, but the client side code contained in the page executes differently due to the malicious modifications that have occurred in the DOM environment.

Severity

medium

Impact

Taking actions on user's behalf using the modified JavaScript code.

Examples

  • Account takeover
  • Reading sensitive data
  • Forging malicious requests

Types of Dom-Based XSS:

  1. URL to JS :

    • Untrusted functions(JS) :

      1- eval()

      2- Function()

      3- setTimeout()

      4- setInterval()

  2. URL to JS to HTML :

    • Untrusted functions (JS) :

      1- setAttribute("src",payload)

      2- setAttribute("href",payload)

      3- document.write()

    • Untrusted functions (JQuery) :

      1- attr("src",payload)

      2- attr("href",payload)

      3- html()

      4- append()

      5- after()

      6- replaceWith()

      7- before()

      8- insertAfter()

      9- insertBefore()

      10- wrap()

      11- appendTo()

      12- wrapAll()

      13- wrapInner()

      14- replaceAll()

      15- prop()

      16- prependTo()

      17- prepend()

How it works?

The attacker sends a URL to the victim containing the payload

let's see our JS code:

<!DOCTYPE html>
<a id="a" href>click</a>
<script>
function getHashes() {
    aURL = window.location.href;
    var vars = {};
    var hashes = aURL.slice(aURL.indexOf('#') + 1).split('&');
    for(var i = 0; i < hashes.length; i++) {
        var hash = hashes[i].split('=');
            if(hash.length > 1) {
                vars[hash[0]] = hash[1];
            }else{
                vars[hash[0]] = null;
            }
        }
    return vars;
}

var hashes = getHashes(), redirect;
if(hashes["url"]) {
    redirect = hashes["url"];
document.getElementById('a').setAttribute("href",redirect)
}
</script>

Walkthrough

In this scenario the user should input a URL in the href attribute

Exploitation

If the attacker sends a URL containing malicious JS to the victim it'll run on the victim's browser, for example a URL that'll trigger the XSS will look like file:///root/Desktop/dom.html#url=javascript:alert(1);

Note : this page is hosted locally