Getting to Know DOM Based XSS More Closely

27-02-2019

Before getting into DOM XSS, let’s first get to know DOM, what is DOM?, ~~needle?~~

DOM stands for Document Object Model, which means a hierarchical structure in an HTML document, so in HTML code there is a kind of family tree

for XSS you can read here

In the case of DOM Based XSS, the XSS payload will change HTML content through this DOM????

Example: DVWA, DOM XSS, Level:Low

There is a language selection feature, let’s check the script

if (document.location.href.indexOf("default=") >= 0) {
        var lang = document.location.href.substring(document.location.href.indexOf("default=")+8);
        document.write("<option value='" + lang + "'>" + decodeURI(lang) + "</option>");
        document.write("<option value='' disabled='disabled'>----</option>");
}

document.write("<option value='English'>English</option>");
document.write("<option value='French'>French</option>");
document.write("<option value='Spanish'>Spanish</option>");
document.write("<option value='German'>German</option>");

The form for selecting language in this feature is generated from the JavaScript above, the first line checks whether the index or parameter of default= is 0 or more, if so then it creates a variable named lang where the value is taken from the index or parameter default= then writes it into the HTML document inside an option tag, and writes another option tag with empty value and disabled,

on line number 7 and onward it writes several option tags again with values English, French, Spanish, and German

when we select one language then the URL will look like this

/dvwa/vulnerabilities/xss_d/?default=English

We can see the default value is English, and this value is written into the displayed document, you can see the text English in the language switch feature,

let’s try changing the value to Indonesia

/dvwa/vulnerabilities/xss_d/?default=Indonesia

the text English changes to Indonesia, since this value is written into the displayed HTML document we can use the <script> tag to test whether we can perform XSS

/dvwa/vulnerabilities/xss_d/?default=<script>alert('XSS')</script>

and a pop up with XSS appears

this happens because the default parameter value is written directly into the displayed HTML document using document.write(), for this case prevention can be done by changing decodeURI(lang) to encodeURI(lang) which is used to perform url encoding on the variable lang whose value comes from the default parameter

for more complete prevention about DOM Based XSS you can check here