[Owasp-leaders] OWASP DOM based XSS definition, which looked a little off
eoin.keary at owasp.org
Wed Oct 23 18:13:50 UTC 2013
My view on this is like chocolate.
80% cocoa, 70%? 40% but it's all chocolate.
Anchors (#) are a good example of not going to server but not the only exams of Dom.
Owasp Global Board
+353 87 977 2988
On 23 Oct 2013, at 03:56, Neil Smithline <neil.smithline at owasp.org> wrote:
> For kicks I googled DOM XSS. The first three links were to OWASP (go OWASP!). I ignnored those as I consider them tainted references. The next four links were:
> At least to me, all of the references seem to say that DOM XSS is based on where in the browser the unsanitized data is used in a risky manner and not how the data got there. The last reference above is from the MediaWiki's development guide. It succinctly states:
> On Tue, Oct 22, 2013 at 8:38 PM, johanna curiel curiel <johanna.curiel at owasp.org> wrote:
>> Hi Serg
>> I'm going to read very careful your comments before I give my final humble opinion, but I think for sure that we should take a look on this since during the Mentor summit - Google summer of Code which I had the opportunity to assist last weekend, a very respectful and blackhat speaker this year mentioned to me that there is a lot of info in the OWASP wiki that is not correct. You might have found this issue,however I would like to back up my info with good references and resources (that does not take away what you have mentioned is correct)
>> On Tue, Oct 22, 2013 at 7:05 AM, Serg <serg at owasp.org> wrote:
>>> Hi All
>>> I've recently had a look at the OWASP DOM based XSS definition, which looked a little off.
>>> The TL;DR version: the DOM based XSS definition according to OWASP (https://www.owasp.org/index.php/DOM_Based_XSS) is only 50% correct (or the pessimistic view - 50% wrong) and misleading.
>>> I am basing this on the 'Definition' examples (https://www.owasp.org/index.php/DOM_Based_XSS), not the 'Advanced Techniques and Derivatives' section.
>>> The first part of this document is incorrect.
>>> In layman's terms, the Reflected XSS, request/JS is first sent to the server, it is then reflected, as is, in the response, hence the name.
>>> Since the query string gets sent to the server and reflected back, this is a Reflected XSS, not DOM-based.
>>> The 'xss_attack_here' part is irrelevant here. As long as it is sent to the server and reflected back, it's a Reflected XSS vulnerability. Whether it runs in DOM or not is irrelevant, technically everything runs in DOM...
>>> My understanding of DOM based XSS, is: it is processed entirely in the web browser, the request with XSS payload is not sent to the server.
>>> As far as I know, the only way to achieve that is to use fragment identifiers, the part of the URL after the '#' (including '#') is not sent to the server as part of the request.
>>> Based on that, I am fairly certain that the current OWASP definition (https://www.owasp.org/index.php/DOM_Based_XSS) is wrong and misleading.
>>> OWASP-Leaders mailing list
>>> OWASP-Leaders at lists.owasp.org
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the OWASP-Leaders