DOM XSS (Cross side scripting)
1. Landing page URL : https://tradenews.codebashing.com/guests/landing#guest
2. Pseudocode for Landing JSP web page
<h6>
<script>
var name = document.location.hash.split('#')[1]; //https://tradenews.codebashing.com/guests/landing#guest
document.write("Hello " + name + "! Please login or signup to access news stories");
</script>
</h6>
Attack
Part 1 : Attacker sends email like this :
Hi Alice, Hope you are well ! Please find below a 20% discount code to join TradeNEWS.
https://tradenews.codebashing.com/guests/landing#<script>window.location = 'https://fake-tradenews.codebashing.com';</script> Kind Regards, Bob
Note the username is replaced with javascript code. Once user clicks on the link, he/she is redirected to a fake website. There credit card information can be stolen.
RemedyTo defend against Cross Site Scripting attacks within the application user's Browser Document Object Model (DOM) environment a defense-in-depth approach is required, combining a number of security best practices.
Note You should recall that for Stored XSS and Reflected XSS injection takes place server side, rather than client browser side. Whereas with DOM XSS, the attack is injected into the Browser DOM, this adds additional complexity and makes it very difficult to prevent and highly context specific, because an attacker can inject HTML, HTML Attributes, CSS as well as URLs.
As a general set of principles the application should first HTML encode and then Javascript encode any user supplied data that is returned to the client. For example using OWASP ESAPI:
document.write(<%=Encoder.encodeForJS(Encoder.encodeForHTML(userSuppliedData))%>);
Due to the very large attack surface this approach is no silver bullet, and as such developers are strongly encouraged to review areas of code that are potentially susceptible to DOM XSS, including but not limited to:
window.name
document.referrer
document.URL
document.documentURIlocation
location.href
location.search
location.hash
eval
setTimeout
setInterval
document.write
document.writeIn
Note: OWASP ESAPI (The OWASP Enterprise Security API) is a free, open source, web application security control library that makes it easier for programmers to write lower-risk applications.
Let's apply a suitable Regex pattern to remediate this particular DOM XSS vulnerability.
<h6>
<script>
var name = document.location.hash.split('#')[1]; //https://tradenews.codebashing.com/guests/landing#guest
if (name.match(/^[a-zA-Z0-9]*$/))
{
document.write("Hello " + name + "! Please login or signup to access news stories");
}
else
{
window.alert("Security error");
}
</script>
1. Landing page URL : https://tradenews.codebashing.com/guests/landing#guest
2. Pseudocode for Landing JSP web page
<h6>
<script>
var name = document.location.hash.split('#')[1]; //https://tradenews.codebashing.com/guests/landing#guest
document.write("Hello " + name + "! Please login or signup to access news stories");
</script>
</h6>
Attack
Part 1 : Attacker sends email like this :
Hi Alice, Hope you are well ! Please find below a 20% discount code to join TradeNEWS.
https://tradenews.codebashing.com/guests/landing#<script>window.location = 'https://fake-tradenews.codebashing.com';</script> Kind Regards, Bob
Note the username is replaced with javascript code. Once user clicks on the link, he/she is redirected to a fake website. There credit card information can be stolen.
RemedyTo defend against Cross Site Scripting attacks within the application user's Browser Document Object Model (DOM) environment a defense-in-depth approach is required, combining a number of security best practices.
Note You should recall that for Stored XSS and Reflected XSS injection takes place server side, rather than client browser side. Whereas with DOM XSS, the attack is injected into the Browser DOM, this adds additional complexity and makes it very difficult to prevent and highly context specific, because an attacker can inject HTML, HTML Attributes, CSS as well as URLs.
As a general set of principles the application should first HTML encode and then Javascript encode any user supplied data that is returned to the client. For example using OWASP ESAPI:
document.write(<%=Encoder.encodeForJS(Encoder.encodeForHTML(userSuppliedData))%>);
Due to the very large attack surface this approach is no silver bullet, and as such developers are strongly encouraged to review areas of code that are potentially susceptible to DOM XSS, including but not limited to:
window.name
document.referrer
document.URL
document.documentURIlocation
location.href
location.search
location.hash
eval
setTimeout
setInterval
document.write
document.writeIn
Note: OWASP ESAPI (The OWASP Enterprise Security API) is a free, open source, web application security control library that makes it easier for programmers to write lower-risk applications.
Let's apply a suitable Regex pattern to remediate this particular DOM XSS vulnerability.
<h6>
<script>
var name = document.location.hash.split('#')[1]; //https://tradenews.codebashing.com/guests/landing#guest
if (name.match(/^[a-zA-Z0-9]*$/))
{
document.write("Hello " + name + "! Please login or signup to access news stories");
}
else
{
window.alert("Security error");
}
</script>
No comments:
Post a Comment