[Owasp-leaders] OWASP DOM based XSS definition, which looked a little off

johanna curiel curiel johanna.curiel at owasp.org
Wed Oct 23 00:38:22 UTC 2013

Hi Serg

I'm going to read very careful your comments before I  give my final humble
opinion, but I think for sure that we should take a look on this since
during the Mentor summit - Google summer of Code which I had the
opportunity to assist last weekend, a very respectful and blackhat speaker
this year mentioned to me that there is a lot of info in the OWASP wiki
that is not correct. You might have found this issue,however I would like
to back up my info with good references and resources (that does not take
away what you have mentioned is correct)



On Tue, Oct 22, 2013 at 7:05 AM, Serg <serg at owasp.org> wrote:

> Hi All
> I've recently had a look at the OWASP DOM based XSS definition, which
> looked a little off.
> The TL;DR version: the DOM based XSS definition according to OWASP (
> https://www.owasp.org/index.php/DOM_Based_XSS) is only 50% correct (or
> the pessimistic view - 50% wrong) and misleading.
> I am basing this on the 'Definition' examples (
> https://www.owasp.org/index.php/DOM_Based_XSS), not the 'Advanced
> Techniques and Derivatives' section.
> The first part of this document is incorrect.
> In layman's terms, the Reflected XSS, request/JS is first sent to the
> server, it is then reflected, as is, in the response, hence the name.
> Example:
> http://www.some.site/page.html?default=xss_attack_here
> Since the query string gets sent to the server and reflected back, this is
> a Reflected XSS, not DOM-based.
> The 'xss_attack_here' part is irrelevant here. As long as it is sent to
> the server and reflected back, it's a Reflected XSS vulnerability. Whether
> it runs in DOM or not is irrelevant, technically everything runs in DOM...
> My understanding of DOM based XSS, is: it is processed entirely in the web
> browser, the request with XSS payload is not sent to the server.
> As far as I know, the only way to achieve that is to use fragment
> identifiers, the part of the URL after the '#' (including '#') is not sent
> to the server as part of the request.
> Based on that, I am fairly certain that the current OWASP definition (
> https://www.owasp.org/index.php/DOM_Based_XSS) is wrong and misleading.
> Thoughts?
> --
> Serg
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20131022/4ed864e3/attachment.html>

More information about the OWASP-Leaders mailing list