[Owasp-leaders] OWASP DOM based XSS definition, which looked a little off

Giorgio Fedon giorgio.fedon at owasp.org
Wed Oct 23 20:34:23 UTC 2013


Hi Achim,

I think that keeping just a single definition of XSS is too generic.

Like in memory corruption there is buffer overflow, but Stack Overflow
is significally different from Heap Overflow and are different from
exploitation point of view and risk associated to the probability of a
successful exploitation.

DOMXss from my point of view is more critical than XSS because:
- Infrastructural remediations such as WAF could not be functional (HASH
# case)
- Attack could be stealthier
- Browser plugins and XSS builtin filters are (at the moment) less
effective against this issue

On the other side browser support may be limited to specific browsers,
but nowadays this happen also for standard XSS due to builtin XSS
protections.


On 10/23/2013 10:17 PM, Achim wrote:
> Hi all,
>
> let's look at the outcome of the last OWSP summit: 
> 	https://www.owasp.org/index.php/DOM_based_XSS_Prevention_Cheat_Sheet
>
> (some of the posters in this thread are authors there too, do you remember;-)
>
> It contains a well defined statement how DOM-based destingushes from refleced
> and stored/persistent XSS.
> And I don't see a reason why to add a new XSS buzzword just 'cause
> 	http://vuln.tld/bad?par=xss-attack
> looks different to 
> 	http://vuln.tld/bad#par=xss-attack
>
> I guess we agree that DOM-based does not depend on where the payload is
> located in the URL. Just to increase the attack scope: think about DWR, GWT
> or JSON in general, other syntax, same problem.
>
> 'cause it they may have different issues, does not make a differece in the
> attack or exploit.
> However, it makes a difference in the mitigation possibilities and techniques.
>
> So I'd suggest that we talk about mitigations, which is mainly secure coding
> practice here, instead of accademically define new vulnerabilities.
> Does that sound reasonable?
>
> Just a site note: when we defined WASC-TC years back, we also discussed the
> use of XSS vs. content spoofing vs. content injection vs. script injection
> vs. ... vs. vs. ...
> The descission was XSS as it was in common use, but accademically better
> are all others.
>
> my 2 pence
> Achim
>
>
>
> Am 23.10.2013 12:07, schrieb Erlend Oftedal:
>> We had a small discussion on twitter yesterday with amongst others
>> @wisecwisec (the author of the domxsswiki and Dominator Pro).
>> I tried to summarize the discussion in this small table:
>> http://erlend.oftedal.no/blog/research/xss/index.html
>>
>> The gist of it is, that reflected/persisted is about source, and DOM-based
>> is more about sink. So you can combine them and end up with things like
>> reflected DOM-based XSS or persistend server-generated XSS.
>>
>> Erlend
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders


-- 
| Giorgio Fedon, Owasp Italy
|
| In Input Validation 
|            and Output Sanitization, 
|                                   We Trust
--
| Web: https://www.owasp.org/index.php/Italy
|_____________________________________________.



More information about the OWASP-Leaders mailing list