[Owasp-leaders] OWASP DOM based XSS definition, which looked a little off

Sven Vetsch sven.vetsch at owasp.org
Tue Oct 22 13:15:51 UTC 2013


Hi Serg,
from my point of view, the http://www.some.site/page.html?default=xss_attack_here can be either a reflected or DOM based XSS just as Achim said. It mainly depends on when the parameter "default" is accessed and put into a context where it becomes executable.

Reflected XSS (server side code):
<?php
  echo $_GET['default'];
?>

DOM based XSS:
<html>
  <head>
    <script>eval($.url().param('default'));</script>
  </head>
</html>

In the DOM based example it's sent to the server but the server doesn't do anything with the parameter "default" that would lead to a XSS, the problem is within the JavaScript.

Best regards,
Sven

--
Sven Vetsch
Leader OWASP Switzerland
http://www.owasp.ch
https://www.twitter.com/OWASP_ch




On Oct 22, 2013, at 2:40 PM, Serg wrote:

> Achim
> 
> Actually I believe you've just described Reflected XSS.
> 
> This is my take on it, I haven't seen any 'sane' explanation of this
> anywhere yet... Here goes.
> 
> Whether it's run inside the <script> tag or as an attribute/event handler
> or anywhere else is largely irrelevant I think. The attack is not sent in
> the request and it is not reflected in the response. This is the main
> point. Using the other description, all XSS attacks are both: DOM and
> Reflected. Which is fine, it's only names, but why do we have two
> definition then?
> 
> DOM based XSS, my understanding, is an attack that is not* *sent to the
> server. Hence the fragments... using '#js_here' string will send the first
> part of the request to the server, but not the fragment...
> 
> 
> my 2c
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> On Tue, Oct 22, 2013 at 11:16 PM, Achim <achim at owasp.org> wrote:
> 
>> Hi Serg,
>> 
>> your 50% correct ;-)
>> 
>> your example
>>    http://www.some.site/page.html?default=xss_attack_here
>> 
>> can serve for both, reflected XSS and/or DOM-based XSS.
>> It's reflected as you described if the server sends it back and then will
>> be
>> rendered, but it can also be DOM-based if the send back page makes use of
>> 'xss_attack_here' in it's scripts.
>> 
>> In both cases it's entirely processed in the browser.
>> 
>> Does this make sense?
>> Achim
>> 
>> 
>> 
>> Am 22.10.2013 13:05, schrieb Serg:
>>> Hi All
>>> 
>>> I've recently had a look at the OWASP DOM based XSS definition, which
>>> looked a little off.
>>> 
>>> The TL;DR version: the DOM based XSS definition according to OWASP (
>>> https://www.owasp.org/index.php/DOM_Based_XSS) is only 50% correct (or
>> the
>>> pessimistic view - 50% wrong) and misleading.
>>> 
>>> I am basing this on the 'Definition' examples (
>>> https://www.owasp.org/index.php/DOM_Based_XSS), not the 'Advanced
>>> Techniques and Derivatives' section.
>>> 
>>> The first part of this document is incorrect.
>>> 
>>> In layman's terms, the Reflected XSS, request/JS is first sent to the
>>> server, it is then reflected, as is, in the response, hence the name.
>>> 
>>> Example:
>>> 
>>> http://www.some.site/page.html?default=xss_attack_here
>>> 
>>> Since the query string gets sent to the server and reflected back, this
>> is
>>> a Reflected XSS, not DOM-based.
>>> 
>>> The 'xss_attack_here' part is irrelevant here. As long as it is sent to
>> the
>>> server and reflected back, it's a Reflected XSS vulnerability. Whether it
>>> runs in DOM or not is irrelevant, technically everything runs in DOM...
>>> 
>>> My understanding of DOM based XSS, is: it is processed entirely in the
>> web
>>> browser, the request with XSS payload is not sent to the server.
>>> 
>>> As far as I know, the only way to achieve that is to use fragment
>>> identifiers, the part of the URL after the '#' (including '#') is not
>> sent
>>> to the server as part of the request.
>>> 
>>> Based on that, I am fairly certain that the current OWASP definition (
>>> https://www.owasp.org/index.php/DOM_Based_XSS) is wrong and misleading.
>>> 
>>> 
>>> Thoughts?
>> 
>> 
> 
> 
> -- 
> Serg
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders



More information about the OWASP-Leaders mailing list