[Owasp-leaders] OWASP DOM based XSS definition, which looked a little off

Tobias Glemser tobias.glemser at owasp.org
Wed Oct 23 18:00:36 UTC 2013


Hi,

> If you take a look at my link, we actually identified five :) And then
there is
> universal XSS (in browser plugins/extensions). So maybe six.
I did. But I did not point out why "Source/Sink: Browser" is not necessary
IMHO in my last mail, sorry about that. For me it's just getting to
"complex" without having a clear benefit to me.

For me "Stored" or persistent means the Payload is stored somewhere and is
loaded each time the user hits the application. This could be 
 - the application database
 - Browser DB 
 - Cookie
 - ...

Of course it's important to know where it is stored. But a developer advice
would be "sanitise your data each time you store it, client or serverside"
and "if you load stored data you want to sanitise again..".

So if you would change the definition for Stored from "Untrusted data is
stored server side" to "Untrusted data is stored" it would be just four :)

> I would call that "remote code execution".
Obviously we all agree, it's not XSS :) If we take the Top10 wording as a
reference I would call it "code injection". 

Best 

Tobias

> -----Ursprüngliche Nachricht-----
> Von: Erlend Oftedal [mailto:erlend.oftedal at owasp.org]
> Gesendet: Mittwoch, 23. Oktober 2013 19:43
> An: Tobias Glemser
> Cc: owasp-leaders at lists.owasp.org
> Betreff: SV: [Owasp-leaders] OWASP DOM based XSS definition, which
> looked a little off [ Z1 UNGESICHERT ]
> 
> If you take a look at my link, we actually identified five :) And then
there is
> universal XSS (in browser plugins/extensions). So maybe six.
> 
> Erlend
> Fra: Tobias Glemser
> Sendt: 23.10.2013 17:38
> Til: Erlend Oftedal
> Kopi: owasp-leaders at lists.owasp.org
> Emne: AW: [Owasp-leaders] OWASP DOM based XSS definition, which
> looked a little off Erlend,
> 
> > The gist of it is, that reflected/persisted is about source, and
> > DOM-based
> is
> > more about sink.
> +1
> 
> I'm telling since years we got:
>  - reflected XSS server side
>  - reflected XSS client side ("DOM-based")
>  - persistent XSS server side
>  - persistent XSS client side ("DOM-based")
> 
> So it's four and not three types (like claimed over the years even by me
;)
> 
> Best
> 
> Tobias
> 
> 
> > -----Ursprüngliche Nachricht-----
> > Von: owasp-leaders-bounces at lists.owasp.org [mailto:owasp-leaders-
> > bounces at lists.owasp.org] Im Auftrag von Erlend Oftedal
> > Gesendet: Mittwoch, 23. Oktober 2013 12:08
> > An: Neil Smithline
> > Cc: owasp-leaders at lists.owasp.org
> > Betreff: Re: [Owasp-leaders] OWASP DOM based XSS definition, which
> > looked a little off [ Z1 UNGESICHERT ]
> >
> > We had a small discussion on twitter yesterday with amongst others
> > @wisecwisec (the author of the domxsswiki and Dominator Pro).
> > I tried to summarize the discussion in this small table:
> > http://erlend.oftedal.no/blog/research/xss/index.html
> >
> >
> > The gist of it is, that reflected/persisted is about source, and
> > DOM-based
> is
> > more about sink. So you can combine them and end up with things like
> > reflected DOM-based XSS or persistend server-generated XSS.
> >
> > Erlend
> >
> >
> > On Wed, Oct 23, 2013 at 4:56 AM, Neil Smithline
> > <neil.smithline at owasp.org>
> > wrote:
> >
> >
> > 	For kicks I googled DOM XSS. The first three links were to OWASP (go
> > OWASP!). I ignnored those as I consider them tainted references. The
> > next four links were:
> >
> > 	*	http://j.mp/1626ZMW
> > 	*	http://j.mp/16ry5iN
> >
> > 	*	http://j.mp/1ccJUMp
> >
> > 	*	http://j.mp/He1yS8
> >
> >
> > 	At least to me, all of the references seem to say that DOM XSS is
> > based on where in the browser the unsanitized data is used in a risky
> manner
> > and not how the data got there. The last reference above is from the
> > MediaWiki's development guide. It succinctly states:
> >
> > 		This class of XSS is distinct from Reflective XSS (type-1
> XSS)
> > and Stored XSS (type-2 XSS), since the server is not returning
> > executable JavaScript to the browser. Instead, data that has been
> > sanitized by the server, or possibly never sent to the server, is
> > converted to executable JavaScript by the existing code running on the
> page.
> >
> >
> >
> >
> > 	Neil
> >
> >
> >
> > 	On Tue, Oct 22, 2013 at 8:38 PM, johanna curiel curiel
> > <johanna.curiel at owasp.org> wrote:
> >
> >
> > 		Hi Serg
> >
> >
> > 		I'm going to read very careful your comments before I  give
> my final
> > humble opinion, but I think for sure that we should take a look
> on
> > this since during the Mentor summit - Google summer of Code which I
> > had the opportunity to assist last weekend, a very respectful and
> > blackhat speaker this year mentioned to me that there is a lot of info
> > in the OWASP wiki that is not correct. You might have found this
> > issue,however I would
> like
> > to back up my info with good references and resources (that does not
> > take away what you have mentioned is correct)
> >
> >
> > 		regards
> >
> >
> >
> > 		Johanna
> >
> >
> >
> >
> > 		On Tue, Oct 22, 2013 at 7:05 AM, Serg <serg at owasp.org>
> > wrote:
> >
> >
> > 			Hi All
> >
> > 			I've recently had a look at the OWASP DOM based XSS
> definition,
> > which looked a little off.
> >
> > 			The TL;DR version: the DOM based XSS definition
> according to OWASP
> > (https://www.owasp.org/index.php/DOM_Based_XSS
> > <https://www.owasp.org/index.php/DOM_Based_XSS> ) is only 50%
> correct
> > (or the pessimistic view - 50% wrong) and misleading.
> >
> > 			I am basing this on the 'Definition' examples
> > (https://www.owasp.org/index.php/DOM_Based_XSS
> > <https://www.owasp.org/index.php/DOM_Based_XSS> ), not the
> 'Advanced
> > Techniques and Derivatives' section.
> >
> >
> > 			The first part of this document is incorrect.
> >
> >
> > 			In layman's terms, the Reflected XSS, request/JS is
> first sent to
> > the server, it is then reflected, as is, in the response,
> hence the
> > name.
> >
> >
> > 			Example:
> >
> >
> >
> > 	http://www.some.site/page.html?default=xss_attack_here
> >
> > 			Since the query string gets sent to the server and
> reflected back,
> > this is a Reflected XSS, not DOM-based.
> >
> >
> > 			The 'xss_attack_here' part is irrelevant here. As
> long
> > as it is sent to the server and reflected back, it's a Reflected XSS
> vulnerability.
> > Whether it runs in DOM or not is irrelevant, technically everything
> > runs
> in
> > DOM...
> >
> >
> > 			My understanding of DOM based XSS, is: it is
> processed entirely in
> > the web browser, the request with XSS payload is not sent to the
> > server.
> >
> >
> > 			As far as I know, the only way to achieve that is to
> use
> > fragment identifiers, the part of the URL after the '#' (including
> > '#') is
> not sent
> > to the server as part of the request.
> >
> >
> > 			Based on that, I am fairly certain that the current
> OWASP
> > definition (https://www.owasp.org/index.php/DOM_Based_XSS
> > <https://www.owasp.org/index.php/DOM_Based_XSS> ) is wrong and
> > misleading.
> >
> >
> >
> >
> >
> > 			Thoughts?
> >
> >
> >
> >
> > 			--
> > 			Serg
> >
> >
> > 	_______________________________________________
> > 			OWASP-Leaders mailing list
> > 			OWASP-Leaders at lists.owasp.org
> > 			https://lists.owasp.org/mailman/listinfo/owasp-
> > leaders
> >
> >
> >
> >
> >
> > 		_______________________________________________
> > 		OWASP-Leaders mailing list
> > 		OWASP-Leaders at lists.owasp.org
> > 		https://lists.owasp.org/mailman/listinfo/owasp-leaders
> >
> >
> >
> >
> >
> > 	_______________________________________________
> > 	OWASP-Leaders mailing list
> > 	OWASP-Leaders at lists.owasp.org
> > 	https://lists.owasp.org/mailman/listinfo/owasp-leaders
> >
> >
> >



More information about the OWASP-Leaders mailing list