A Step Further — Demystifying XSS

A Step Further — Demystifying XSS

outubro 17, 2017 | Adeline Zhang

Here is a comprehensive tutorial on cross-site scripting (XSS) attacks, ranging from entry to practice.

Overview

Note that XSS attacks are classified according to different angles in the preceding figure, but not simply classified into reflective XSS, stored XSS, and DOM-based XSS.

In essence, XSS is injection of HTML code and JavaScript code. This kind of attacks is often not taken seriously by developers as it targets the browser side which is equivalent to the client side.

Regular XSS attacks can be detected with a simple method: If a complete parameter or part of a parameter typed by a user is included in the source code, an XSS vulnerability is deemed to exist.

We can use a scanner to get rid of most regular XSS attacks as the scanner is good at pattern recognition and can easily find the characters that we just typed in HTML code.

 

Until one day, a type of XSS attacks without any trace in source code emerged. It turns out that XSS attacks may not be as simple as we thought.

 

About Document Object Model

Document Object Model

Document Object Model (DOM) is a well-known programing API.

DOM is a method that presents page elements in the form of objects in a tree-like hierarchy to facilitate the handling by JavaScript.

Common DOM Method

Users can access HTML DOM through JavaScript (and other programming languages). All HTML elements are defined as objects for which the HTML DOM API defines methods and attributes.

Four Important DOM Properties

nodeName: specifies the name of a node.

  • This property is read-only.
  • For an element node, the value of this property is the same as the tag name of the node.
  • For an attribute node, the value of nodeName is the name of the node.
  • For a text node, the value of this property is always #text.
  • For a document node, the value of this property is always #document.

nodeValue: specifies the value of a node.

  • For an element node, the value of this property is undefined or null.
  • For a text node, the value of this property is the text content.
  • For an attribute node, the value of nodeValue is the same as the value of the attribute node.

nodeType: specifies the node type.

  • This property is read-only.

innerHTML: gets the element content. The following figure is an example of this property.

The element content is Hello World!.

This property can be read and assigned a value, and therefore it is the most referenced object property and also most vulnerable to security issues.

Where Is the Input?

Properties of the location object

JavaScript usually obtains the user-supplied input by invoking the location object built in the DOM, such as getting a parameter fragment by using location.search or getting a complete URL by using location.href.

DOM-based XSS

Two Typical DOM Procedures

(1) Reflected DOM-based XSS

(2) Stored DOM-based XSS

Required Knowledge

Compared with common XSS, DOM-based XSS is discovered in a way like code audits.

Typical DOM-based XSS Examples

mXSS

If user input goes in and out of DOM more than twice, a more advanced type of DOM-based XSS may be triggered: mutated XSS (mXSS).

Scenario Inclinable to mXSS

 

As innerHTML can unescape HTML entities, CSS escape characters, and ANSI escape codes, the user-supplied input that has been escaped and therefore is deemed to be secure will probably be unescaped upon filter bypassing.

 

Filter Bypassing

Examples

The following are two examples of filter bypassing in common XSS.

Filter Bypassing Method

Generally, DOM-based XSS should first survive the cleaning by the filter on the server side and then the JavaScript loaded on the page. Therefore, it is no easy job to bypass the filter.

Code bypassing:

Code to be inserted: <img src=“” onerror=alert(123)>

  • Replace double quotation marks with HTML entities: <img src=“” onerror=alert(123)>
  • Replace angle brackets with CSS/JS codes (Unicode): \u003cimg src=“” onerror=alert(123)\u003e
  • Replace parenthesis with CSS/JS codes (Base16): \x28\x29<img src=“” onerror=alert\x28123\x29>
  • Replace all characters with String.fromCharCode methods: fromCharCode(60,105,109,103,32,115,114,99,61,34,34,32,111,110,101,114,114,111,114,61,97,108,101,114,116,40,49,50,51,41,62)
  • Replace “er” at a certain place with ANSI code: <img src=“” onerror=al%65%72t(123)>

HTML5 features:

Recommendations for DOM-based XSS Prevention

Sites that do not have a rich text editor (custom style) and do not use DOM:

  • Input: Sanitize input for double quotation marks, single quotation marks, left and right angle brackets, and semicolons.
  • Output: Convert characters to HTML entities.

Sites that do not have a rich text editor (custom style) but use DOM:

  • Input: Escape double quotation marks, single quotation marks, left and right angle brackets, and semicolons in DOM.
  • Output: Encode characters before they are output, for example, innerHTML=encodeHTML(output).

Sites that have a rich text editor (custom style) but do not use DOM:

  • Input: Sanitize input for double quotation marks, single quotation marks, and semicolons.
  • Output: Convert characters to HTML entities.

Sites that have a rich text editor (custom style) and use DOM:

In this scenario, no preventive measures are available. What we can do is post-event remediation.

Reference Links

  • http://sandbox.host.smartgslb.com
  • http://html5sec.org/
  • http://drops.wooyun.org/tips/956
  • http://www.w3school.com.cn/
  • http://www.slideshare.net/x00mario/the-innerhtml-apocalypse
  • http://app.baidu.com/app/enter?appid=280383