Introduction
As you already know , from the previous article
"XSS tutorial part-1" that XSS has three types are Stored XSS ,
Reflected XSS and DOM based XSS , we've dicussed stored and reflected xss, so
we will discuss today DOM based xss.
DOM based XSS
Wikipedia definition is DOM-based vulnerabilities occur in the content
processing stages performed by the client, typically in client-side JavaScript.
The name refers to the standard model for representing HTML or XML contents
which is called the Document Object Model (DOM) JavaScript programs manipulate
the state of a web page and populate it with dynamically-computed data
primarily by acting upon the DOM.
simply that type occurs on the javascript code itself that the developer
use in client side for example
"A typical example is a piece of JavaScript
accessing and extracting data from the URL via the location.* DOM, or receiving
raw non-HTML data from the server via XMLHttpRequest, and then using this
information to write dynamic HTML without proper escaping,entirely on client
side."
DOM based XSS Demo
Suppose the following code is used to create a form to let the user
choose his/her preferred language. A default language is also provided in the
query string, as the parameter “default”. we will use the following code for
demonstration purposes:
<select>
<script>
document.write("<OPTION
value=1>"+document.location.href.substring
(document.location.href.indexOf("default=")+8)+"</OPTION>");
document.write("<OPTION value=2>English</OPTION>");
</script>
</select>
The
page is invoked with a URL such as:
http://www.some.site/page.html?default=French A DOM Based XSS attack against
this page can be accomplished by sending the following URL to a victim:
http://www.some.site/page.html?default=<script>alert(document.cookie)</script>
The original Javascript code in the page does not
expect the default parameter to contain HTML markup, and as such it simply
echoes it into the page (DOM) at runtime. The browser then renders the
resulting page and executes the attacker’s script:
alert(document.cookie)
Now we've discussed all types of XSS , so lets talk
about some advanced techniques.
Advanced Techniques
there are some avoidance Techniques can be taken to protect a against
XSS exploits but they are not implementing well for example :
Tons of sites may seem vulnerable but not executing
the code that occurs because some kind of filtration methods and those may can
be bypassed ,we will demonstrate most of them.
METHOD 1 : replace <script> with null string
""
here is the vulnerable code that suffers from reflected xss , that has a
filtration :
<?php
if(!array_key_exists ("name", $_GET) ||
$_GET['name'] == NULL || $_GET['name'] == ''){
$isempty = true;
} else {
echo '<pre>';
echo 'Hello ' . str_replace('<script>', '',
$_GET['name']);
echo '</pre>';
}
?>
as you can see, in the previous code, the developer
replace the string that called "<script>" with a Null string
""
Some common methods to bypass filteration is that
you just have to replace the string "<script>" with
"<SCRIPT>" because the developer search for lowercase of
"<script>" , so we bypass it by change our script to
<SCRIPT>.......</SCRIPT>
Here is an other way to bypass the previous
filteration
<script
/javascript>alert("XSS")</script>
Please note its bad practice to use
alert("XSS") to test for XSS because most of known sites block the
keyword XSS before.
METHOD 2 : magic quotes filtration
in
this Technique , the developer uses technique that called magic quotes
filtration ,by using a PHP function called "addslashes()" that add
slash before any special chars. So Our traditional JavaScript code doesn't work
there are many ways to bypass that filter , we will discuss two of them
1- the easiest way to bypass it is Just DONT USE
magic quotes simple is that , for example declaring a variable and assigned, it
to a number, then alert that variable.
AS you can see here: <script>var val= 1;
alert(val)</script>
2- this way is some what tricky , in this way we use
a built-in Function that convert Decimal values into ASCII values , you can
find a complete table of ASCII here http://www.asciitable.com/ this will help
you write what you want OR you can use hackbar firfox add-ons to help you on
converting ASCII to decimal In my examples ill be writing "XSS" this
is the following code "120 115 115", Ok we now got the Decimal value
of our string,we need to know what function In javascript converts this to
ASCII this function called "String.fromCharCode()",and to use this
with alert as example, you dont need to use quotes any more.
<script>alert(String.fromCharCode(120, 115,
115)</script>
Ok now this will display or message in this case
"XSS", this method is very useful for bypassing magic quotes.
Conclusion
We have discussed a lot of stuff today, and i hope
they are useful for you guys, and there are a lot of Great and exciting stuff
will be post later in this tutorials, If you have any Questions than post i
No comments:
Post a Comment