[Owasp-leaders] OWASP DOM based XSS definition, which looked a little off

Serg serg at owasp.org
Tue Oct 22 11:05:18 UTC 2013


Hi All

I've recently had a look at the OWASP DOM based XSS definition, which
looked a little off.

The TL;DR version: the DOM based XSS definition according to OWASP (
https://www.owasp.org/index.php/DOM_Based_XSS) is only 50% correct (or the
pessimistic view - 50% wrong) and misleading.

I am basing this on the 'Definition' examples (
https://www.owasp.org/index.php/DOM_Based_XSS), not the 'Advanced
Techniques and Derivatives' section.

The first part of this document is incorrect.

In layman's terms, the Reflected XSS, request/JS is first sent to the
server, it is then reflected, as is, in the response, hence the name.

Example:

http://www.some.site/page.html?default=xss_attack_here

Since the query string gets sent to the server and reflected back, this is
a Reflected XSS, not DOM-based.

The 'xss_attack_here' part is irrelevant here. As long as it is sent to the
server and reflected back, it's a Reflected XSS vulnerability. Whether it
runs in DOM or not is irrelevant, technically everything runs in DOM...

My understanding of DOM based XSS, is: it is processed entirely in the web
browser, the request with XSS payload is not sent to the server.

As far as I know, the only way to achieve that is to use fragment
identifiers, the part of the URL after the '#' (including '#') is not sent
to the server as part of the request.

Based on that, I am fairly certain that the current OWASP definition (
https://www.owasp.org/index.php/DOM_Based_XSS) is wrong and misleading.


Thoughts?


-- 
Serg
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20131022/278941f2/attachment.html>


More information about the OWASP-Leaders mailing list