DOM Based Cross-Site Scripting (XSS) is a type of cross-site scripting attack that is caused by the web application dynamically generating the web page’s content through the manipulation of the Document Object Model (DOM).
In DOM-based XSS attacks, the attacker injects a malicious script into a web page by manipulating the DOM environment. The web application then executes the script in the user’s browser, allowing the attacker to steal sensitive data or perform other malicious actions on the user’s behalf.
This type of attack is often difficult to detect using traditional XSS detection methods since the malicious script is injected and executed entirely on the client-side. Furthermore, the script can be delivered in the URL, HTTP request, or any other user-supplied input field on the webpage.
Example
Suppose the following code is used to create a form to let the user choose their preferred language. A default language is also provided in the query string, as the parameter “default”.
…
Select your language:
<select><script>
document.write("<OPTION value=1>"+decodeURIComponent(document.location.href.substring(document.location.href.indexOf("default=")+8))+"</OPTION>");
document.write("<OPTION value=2>English</OPTION>");
</script></select>
…
The page is invoked with a URL such as:
http://www.some.site/page.html?default=French
A DOM Based XSS attack against this page can be accomplished by sending the following URL to a victim:
http://www.some.site/page.html?default=<script>alert(document.cookie)</script>
When the victim clicks on this link, the browser sends a request for:
/page.html?default=<script>alert(document.cookie)</script>
to www.some.site. The server responds with the page containing the above Javascript code. The browser creates a DOM object for the page, in which the document.location object contains the string:
http://www.some.site/page.html?default=<script>alert(document.cookie)</script>
The original Javascript code in the page does not expect the default parameter to contain HTML markup, and as such it simply decodes and echoes it into the page (DOM) at runtime. The browser then renders the resulting page and executes the attacker’s script:
alert(document.cookie)
Note that the HTTP response sent from the server does not contain the attacker’s payload. This payload manifests itself at the client-side script at runtime, when a flawed script accesses the DOM variable document.location and assumes it is not malicious. In addition, most browsers URL encode document.location by default which reduces the impact or possibility of many DOM XSS attacks.
Advanced Techniques and Derivatives
Advanced techniques and derivatives refer to complex financial instruments that are used to manage financial risk or to speculate on market movements. These instruments are typically traded in specialized financial markets and are designed to meet specific investment objectives.
Here are some common advanced techniques and derivatives:
- Options: An option is a contract that gives the buyer the right, but not the obligation, to buy or sell an underlying asset at a specified price on or before a specified date.
- Futures: A futures contract is an agreement between two parties to buy or sell an asset at a specific price on a specific date in the future.
- Swaps: A swap is a contract between two parties to exchange cash flows based on different financial instruments or indices.
- Credit default swaps: A credit default swap (CDS) is a contract between two parties where one party agrees to compensate the other if a specified credit event, such as a default or bankruptcy, occurs.
- Collateralized debt obligations: A collateralized debt obligation (CDO) is a type of security that is backed by a portfolio of debt obligations, such as mortgages or corporate bonds.
- Structured products: Structured products are complex financial instruments that are created by combining one or more traditional securities, such as stocks or bonds, with derivatives.
- Hedge funds: A hedge fund is a private investment fund that uses advanced techniques and derivatives to generate returns for its investors.
While advanced techniques and derivatives can be used to manage financial risk and achieve specific investment objectives, they can also be complex and risky. Investors should carefully evaluate the risks and potential rewards of these instruments before investing. Additionally, regulations and reporting requirements may vary by jurisdiction, making it important for investors to seek professional advice when considering these types of investments.
Testing Tools and Techniques
1. The DOM XSS Wiki – The start of a Knowledgebase for defining sources of attacker controlled inputs and sinks which could potentially introduce DOM Based XSS issues. Its very immature as of 11/17/2011. Please contribute to this wiki if you know of more dangerous sinks and/or safe alternatives!!
See: http://code.google.com/p/domxsswiki/
2. DOM Snitch – An experimental Chrome extension that enables developers and testers to identify insecure practices commonly found in client-side code. From Google.
See: http://code.google.com/p/domsnitch/
Defense Techniques
See: https://cheatsheetseries.owasp.org/cheatsheets/DOM_based_XSS_Prevention_Cheat_Sheet.html