[Owasp-leaders] OWASP DOM based XSS definition, which looked a little off

Achim achim at owasp.org
Wed Oct 23 20:17:43 UTC 2013


Hi all,

let's look at the outcome of the last OWSP summit: 
	https://www.owasp.org/index.php/DOM_based_XSS_Prevention_Cheat_Sheet

(some of the posters in this thread are authors there too, do you remember;-)

It contains a well defined statement how DOM-based destingushes from refleced
and stored/persistent XSS.
And I don't see a reason why to add a new XSS buzzword just 'cause
	http://vuln.tld/bad?par=xss-attack
looks different to 
	http://vuln.tld/bad#par=xss-attack

I guess we agree that DOM-based does not depend on where the payload is
located in the URL. Just to increase the attack scope: think about DWR, GWT
or JSON in general, other syntax, same problem.

'cause it they may have different issues, does not make a differece in the
attack or exploit.
However, it makes a difference in the mitigation possibilities and techniques.

So I'd suggest that we talk about mitigations, which is mainly secure coding
practice here, instead of accademically define new vulnerabilities.
Does that sound reasonable?

Just a site note: when we defined WASC-TC years back, we also discussed the
use of XSS vs. content spoofing vs. content injection vs. script injection
vs. ... vs. vs. ...
The descission was XSS as it was in common use, but accademically better
are all others.

my 2 pence
Achim



Am 23.10.2013 12:07, schrieb Erlend Oftedal:
> We had a small discussion on twitter yesterday with amongst others
> @wisecwisec (the author of the domxsswiki and Dominator Pro).
> I tried to summarize the discussion in this small table:
> http://erlend.oftedal.no/blog/research/xss/index.html
> 
> The gist of it is, that reflected/persisted is about source, and DOM-based
> is more about sink. So you can combine them and end up with things like
> reflected DOM-based XSS or persistend server-generated XSS.
> 
> Erlend



More information about the OWASP-Leaders mailing list