[Owasp-leaders] OWASP DOM based XSS definition, which looked a little off

Neil Smithline neil.smithline at owasp.org
Wed Oct 23 02:56:34 UTC 2013


For kicks I googled DOM XSS. The first three links were to OWASP (go
OWASP!). I ignnored those as I consider them tainted references. The next
four links were:

   - http://j.mp/1626ZMW
   - http://j.mp/16ry5iN
   - http://j.mp/1ccJUMp
   - http://j.mp/He1yS8

At least to me, all of the references seem to say that DOM XSS is based on
where in the browser the unsanitized data is used in a risky manner and not
how the data got there. The last reference above is from the MediaWiki's
development guide. It succinctly states:

This class of XSS is distinct from Reflective XSS (type-1 XSS) and Stored
XSS (type-2 XSS), since the server is not returning executable JavaScript
to the browser. Instead, data that has been sanitized by the server, or
possibly never sent to the server, is converted to executable JavaScript by
the existing code running on the page.

Neil


On Tue, Oct 22, 2013 at 8:38 PM, johanna curiel curiel <
johanna.curiel at owasp.org> wrote:

> Hi Serg
>
> I'm going to read very careful your comments before I  give my final
> humble opinion, but I think for sure that we should take a look on this
> since during the Mentor summit - Google summer of Code which I had the
> opportunity to assist last weekend, a very respectful and blackhat speaker
> this year mentioned to me that there is a lot of info in the OWASP wiki
> that is not correct. You might have found this issue,however I would like
> to back up my info with good references and resources (that does not take
> away what you have mentioned is correct)
>
> regards
>
> Johanna
>
>
>
> On Tue, Oct 22, 2013 at 7:05 AM, Serg <serg at owasp.org> wrote:
>
>> Hi All
>>
>> I've recently had a look at the OWASP DOM based XSS definition, which
>> looked a little off.
>>
>> The TL;DR version: the DOM based XSS definition according to OWASP (
>> https://www.owasp.org/index.php/DOM_Based_XSS) is only 50% correct (or
>> the pessimistic view - 50% wrong) and misleading.
>>
>> I am basing this on the 'Definition' examples (
>> https://www.owasp.org/index.php/DOM_Based_XSS), not the 'Advanced
>> Techniques and Derivatives' section.
>>
>> The first part of this document is incorrect.
>>
>> In layman's terms, the Reflected XSS, request/JS is first sent to the
>> server, it is then reflected, as is, in the response, hence the name.
>>
>> Example:
>>
>> http://www.some.site/page.html?default=xss_attack_here
>>
>> Since the query string gets sent to the server and reflected back, this
>> is a Reflected XSS, not DOM-based.
>>
>> The 'xss_attack_here' part is irrelevant here. As long as it is sent to
>> the server and reflected back, it's a Reflected XSS vulnerability. Whether
>> it runs in DOM or not is irrelevant, technically everything runs in DOM...
>>
>> My understanding of DOM based XSS, is: it is processed entirely in the
>> web browser, the request with XSS payload is not sent to the server.
>>
>> As far as I know, the only way to achieve that is to use fragment
>> identifiers, the part of the URL after the '#' (including '#') is not sent
>> to the server as part of the request.
>>
>> Based on that, I am fairly certain that the current OWASP definition (
>> https://www.owasp.org/index.php/DOM_Based_XSS) is wrong and misleading.
>>
>>
>> Thoughts?
>>
>>
>> --
>> Serg
>>
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
>>
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20131022/b5f37468/attachment.html>


More information about the OWASP-Leaders mailing list