Cross-Site Scripting (XSS) attacks are a unauthorized code injection, into an otherwise trusted website. The unwanted content sent to the browser usually takes the form of a segment of JavaScript, but may also include HTML, Flash, or any other type of code that the browser may execute.
DOM based XSS attacks is less common than other types of XSS attacks.
<html>
<head>
<title>Custom Dashboard </title>
...
</head>
Main Dashboard for
<script>
var pos=document.URL.indexOf("context=")+8;
document.write(document.URL.substring(pos,document.URL.length));
</script>
...
</html>
http://www.example.com/userdashboard.html?context=Mary is a dashboard customized for Mary. It contains the string Main Dashboard for Mary at the top. Here is how a DOM-based XSS attack can be performed for this web application:
1)The attacker embeds a malicious script in the URL: http://www.example.com/userdashboard.html#context=SomeFunction(somevariable).
2)The users browser receives this URL, sends an HTTP request to http://www.example.com, and receives the static HTML page.
3)The browser starts building the DOM of the website and populates the document.URL property with the URL from step 1.
4)The browser parses the HTML page, reaches the script, and runs it, extracting the malicious content from the document.URL property show in step 1.
5)The browser updates the raw HTML body of the page to contain: Main Dashboard for SomeFunction(somevariable).
6)The browser finds the JavaScript code in the HTML body and executes it.
Because this is happening on the DOM the server has no reason to think anything went wrong when loading the page. This means that the server threat detection is not noticing anything wrong. In order to prevent against this type of attack client-side intrusion prevention systems are required.
Top comments (0)