[Owasp-leaders] OWASP DOM based XSS definition, which looked a little off

Eoin Keary eoin.keary at owasp.org
Wed Oct 23 18:13:50 UTC 2013


My view on this is like chocolate.
80% cocoa, 70%? 40% but it's all chocolate.

Dom xss is rendered via JavaScript (sink) Reflected is not but rather simple reflection.

Dom may or may not go the the server but is rendered in JavaScript.
Anchors (#) are a good example of not going to server but not the only exams of Dom.


Eoin Keary
Owasp Global Board
+353 87 977 2988


On 23 Oct 2013, at 03:56, Neil Smithline <neil.smithline at owasp.org> wrote:

> For kicks I googled DOM XSS. The first three links were to OWASP (go OWASP!). I ignnored those as I consider them tainted references. The next four links were:
> http://j.mp/1626ZMW
> http://j.mp/16ry5iN
> http://j.mp/1ccJUMp
> http://j.mp/He1yS8
> At least to me, all of the references seem to say that DOM XSS is based on where in the browser the unsanitized data is used in a risky manner and not how the data got there. The last reference above is from the MediaWiki's development guide. It succinctly states:
> This class of XSS is distinct from Reflective XSS (type-1 XSS) and Stored XSS (type-2 XSS), since the server is not returning executable JavaScript to the browser. Instead, data that has been sanitized by the server, or possibly never sent to the server, is converted to executable JavaScript by the existing code running on the page.
> Neil
> 
> 
> On Tue, Oct 22, 2013 at 8:38 PM, johanna curiel curiel <johanna.curiel at owasp.org> wrote:
>> Hi Serg
>> 
>> I'm going to read very careful your comments before I  give my final humble opinion, but I think for sure that we should take a look on this since during the Mentor summit - Google summer of Code which I had the opportunity to assist last weekend, a very respectful and blackhat speaker this year mentioned to me that there is a lot of info in the OWASP wiki that is not correct. You might have found this issue,however I would like to back up my info with good references and resources (that does not take away what you have mentioned is correct)
>> 
>> regards
>> 
>> Johanna
>> 
>> 
>> 
>> On Tue, Oct 22, 2013 at 7:05 AM, Serg <serg at owasp.org> wrote:
>>> Hi All
>>> 
>>> I've recently had a look at the OWASP DOM based XSS definition, which looked a little off.
>>> 
>>> The TL;DR version: the DOM based XSS definition according to OWASP (https://www.owasp.org/index.php/DOM_Based_XSS) is only 50% correct (or the pessimistic view - 50% wrong) and misleading.
>>> 
>>> I am basing this on the 'Definition' examples (https://www.owasp.org/index.php/DOM_Based_XSS), not the 'Advanced Techniques and Derivatives' section.
>>> The first part of this document is incorrect. 
>>> 
>>> In layman's terms, the Reflected XSS, request/JS is first sent to the server, it is then reflected, as is, in the response, hence the name.
>>> 
>>> Example:
>>> 
>>> http://www.some.site/page.html?default=xss_attack_here
>>> 
>>> Since the query string gets sent to the server and reflected back, this is a Reflected XSS, not DOM-based.
>>> 
>>> The 'xss_attack_here' part is irrelevant here. As long as it is sent to the server and reflected back, it's a Reflected XSS vulnerability. Whether it runs in DOM or not is irrelevant, technically everything runs in DOM... 
>>> My understanding of DOM based XSS, is: it is processed entirely in the web browser, the request with XSS payload is not sent to the server.
>>> 
>>> As far as I know, the only way to achieve that is to use fragment identifiers, the part of the URL after the '#' (including '#') is not sent to the server as part of the request.
>>> 
>>> Based on that, I am fairly certain that the current OWASP definition (https://www.owasp.org/index.php/DOM_Based_XSS) is wrong and misleading.
>>> 
>>> 
>>> Thoughts?
>>> 
>>> 
>>> 
>>> -- 
>>> Serg
>>> 
>>> _______________________________________________
>>> OWASP-Leaders mailing list
>>> OWASP-Leaders at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>> 
>> 
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
> 
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20131023/2e656a89/attachment.html>


More information about the OWASP-Leaders mailing list