[Owasp-leaders] OWASP DOM based XSS definition, which looked a little off

Seba seba at owasp.org
Wed Oct 23 19:56:03 UTC 2013


hm, in Belgium we take percentage of cacao very seriously :-)
Seba


On Wed, Oct 23, 2013 at 8:13 PM, Eoin Keary <eoin.keary at owasp.org> wrote:

> My view on this is like chocolate.
> 80% cocoa, 70%? 40% but it's all chocolate.
>
> Dom xss is rendered via JavaScript (sink) Reflected is not but rather
> simple reflection.
>
> Dom may or may not go the the server but is rendered in JavaScript.
> Anchors (#) are a good example of not going to server but not the only
> exams of Dom.
>
>
> Eoin Keary
> Owasp Global Board
> +353 87 977 2988
>
>
> On 23 Oct 2013, at 03:56, Neil Smithline <neil.smithline at owasp.org> wrote:
>
> For kicks I googled DOM XSS. The first three links were to OWASP (go
> OWASP!). I ignnored those as I consider them tainted references. The next
> four links were:
>
>    - http://j.mp/1626ZMW
>    - http://j.mp/16ry5iN
>    - http://j.mp/1ccJUMp
>    - http://j.mp/He1yS8
>
> At least to me, all of the references seem to say that DOM XSS is based on
> where in the browser the unsanitized data is used in a risky manner and not
> how the data got there. The last reference above is from the MediaWiki's
> development guide. It succinctly states:
>
> This class of XSS is distinct from Reflective XSS (type-1 XSS) and Stored
> XSS (type-2 XSS), since the server is not returning executable JavaScript
> to the browser. Instead, data that has been sanitized by the server, or
> possibly never sent to the server, is converted to executable JavaScript by
> the existing code running on the page.
>
> Neil
>
>
> On Tue, Oct 22, 2013 at 8:38 PM, johanna curiel curiel <
> johanna.curiel at owasp.org> wrote:
>
>> Hi Serg
>>
>> I'm going to read very careful your comments before I  give my final
>> humble opinion, but I think for sure that we should take a look on this
>> since during the Mentor summit - Google summer of Code which I had the
>> opportunity to assist last weekend, a very respectful and blackhat speaker
>> this year mentioned to me that there is a lot of info in the OWASP wiki
>> that is not correct. You might have found this issue,however I would like
>> to back up my info with good references and resources (that does not take
>> away what you have mentioned is correct)
>>
>> regards
>>
>> Johanna
>>
>>
>>
>> On Tue, Oct 22, 2013 at 7:05 AM, Serg <serg at owasp.org> wrote:
>>
>>> Hi All
>>>
>>> I've recently had a look at the OWASP DOM based XSS definition, which
>>> looked a little off.
>>>
>>> The TL;DR version: the DOM based XSS definition according to OWASP (
>>> https://www.owasp.org/index.php/DOM_Based_XSS) is only 50% correct (or
>>> the pessimistic view - 50% wrong) and misleading.
>>>
>>> I am basing this on the 'Definition' examples (
>>> https://www.owasp.org/index.php/DOM_Based_XSS), not the 'Advanced
>>> Techniques and Derivatives' section.
>>>
>>> The first part of this document is incorrect.
>>>
>>> In layman's terms, the Reflected XSS, request/JS is first sent to the
>>> server, it is then reflected, as is, in the response, hence the name.
>>>
>>> Example:
>>>
>>> http://www.some.site/page.html?default=xss_attack_here
>>>
>>> Since the query string gets sent to the server and reflected back, this
>>> is a Reflected XSS, not DOM-based.
>>>
>>> The 'xss_attack_here' part is irrelevant here. As long as it is sent to
>>> the server and reflected back, it's a Reflected XSS vulnerability. Whether
>>> it runs in DOM or not is irrelevant, technically everything runs in DOM...
>>>
>>> My understanding of DOM based XSS, is: it is processed entirely in the
>>> web browser, the request with XSS payload is not sent to the server.
>>>
>>> As far as I know, the only way to achieve that is to use fragment
>>> identifiers, the part of the URL after the '#' (including '#') is not sent
>>> to the server as part of the request.
>>>
>>> Based on that, I am fairly certain that the current OWASP definition (
>>> https://www.owasp.org/index.php/DOM_Based_XSS) is wrong and misleading.
>>>
>>>
>>> Thoughts?
>>>
>>>
>>> --
>>> Serg
>>>
>>> _______________________________________________
>>> OWASP-Leaders mailing list
>>> OWASP-Leaders at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>
>>>
>>
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
>>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20131023/c722d4b8/attachment.html>


More information about the OWASP-Leaders mailing list