Professional Documents
Culture Documents
Trial Version
3 INTRODUCTION .......................................................................................... 6
3.1 What is a DOM based Cross Site Scripting ........................................................... 6
3.1.1 What are the security impacts for an application vulnerable to a DOMXSS? ....... 6
3.1.2 IDS, IPS, FW, Web App FW can identify a Dom XSS attack?............................. 6
3.1.3 IDS, IPS, FW, Web App FW can mitigate a Dom XSS vulnerability? ................. 7
3.1.4 Which is the best approach to identify a DOMXSS?............................................. 7
3.2 Introduction to DOMinator Pro Technology ........................................................ 9
3.2.1 Innovative Approach ............................................................................................ 10
3.2.2 Realtime Dynamic Data Tainting Technology .................................................... 10
3.2.3 Architecture .......................................................................................................... 11
1.3 Revision
Document version is 1.0 and was written in October 2012.
WEB BROWSER
DOMINATOR PRO
DOMinator Pro interface has 3 different parts, as it is possible to see in the following
image:
Main Panel (Blue Contour)
Vulnerability Deck (Red Contour)
Source Bar (Green Contour)
Vulnerability Deck
Source Bar
StackTrace Activator
Issue Tabs
Call Stack
Source history
Knowledge Base
Important Note: all the features presented are extensively described in the Use Cases
section with code examples.
1. Source Buttons. These buttons controls activation of the tainting analysis for
particular sets of inputs. By default all sources are controlled except the cookie
source, because this particular input is usually not directly controllable. The
interested reader is invited to read DOMinator Pro Use Cases for more
information and examples.
2. Power Button. This button disables or enables DOMinator Pro extension. This
feature is useful to temporarily disable the tool.
3. Code Beautifier. This feature, if enabled, parses Javascript code and transforms it
into a format which is more easily readable. This feature is very useful during
code analysis in the Call Stack.
Source buttons:
C = Cookies
N = Name
R = Referrer
E = Input Elements
P = PostMessage
S = StoredStrings
D = DOM Strings
3.1.2 IDS, IPS, FW, Web App FW can identify a Dom XSS attack?
The OWASP Testing Guide3 collects all the possible tests you have to perform to a
running web application to verity that all the security controls are adequate. Looking at
the list of the tests to perform it is possible to notice that DOM Based XSS is the only
vulnerability running on the client browser, all the other vulnerabilities resides on the
server side as shown by the following picture.
1
DOM Based Cross Site Scripting or XSS of the Third Kind [http://www.webappsec.org/projects/articles/071105.html]
2
OWASP Top Ten Project [https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project]
3
OWASP Testing Project [https://www.owasp.org/index.php/OWASP_Testing_Project]
This means that anyone can perform this analysis "without interaction" with the server
that is running the application itself. Unlike all other web application vulnerabilities, a
Dom XSS occurs without the owner of the application being aware of a possible intrusion.
That actually means a loss of control of the detection of security incidents and that’s
why it is really important to prevent this kind of attack.
3.1.3 IDS, IPS, FW, Web App FW can mitigate a Dom XSS
vulnerability?
The DOM XSS vulnerability resides inside the client code running on the user browser,
a Web Application Firewall and all the perimeter defense tools could do nothing to
mitigate this problem: it is not a possible solution.
The fundamental difference between the DOM and other types of XSS vulnerabilities
in web applications is that to remedy this issue you must edit and fix the JavaScript
code provided by the application.
4
DomXSSWiki [http://code.google.com/p/domxsswiki]
5
DOMXss Identification and exploitation
[http://dominator.googlecode.com/files/DOMXss_Identification_and_exploitation.pdf]
So it is necessary to automate the process to find this kind of vulnerability. The possible
solutions to find DOM XSS using a tool are the following:
Static Analyser:
Pro: Very good at finding flows if well implemented. Very fast.
Contra: the problems of every Static Analyser KB, reflection, runtime evaluation, lot
of False Positives + False Negatives etc.
Script Injection to wrap sources and Sinks:
Pro: use native interpreter so no problem with obfuscation/compression
Contra: Cannot follow the flow.
Runtime Analysis with Dynamic Tainting:
Pro: Uses native interpreter so no problem with obfuscation/compression, can follow
the flow.
Contra: doesn’t look at alternative paths. Just propagates the taint flag. No tracking of
operations. (Mostly used for defense like on perl tainting or php)
Minded Security solution DOMinator Pro:
DOMinator Pro is a tool for analysing and identifying DOM XSS; it is a modified
version of SpiderMonkey (JS Engine) to add Dynamic Tainting and perform Taint
propagation Tracing. Also is a modified version of Firefox to add taint propagation to
DOM Attributes and chrome methods.
DOMinator Pro performs a Realtime Dynamic Data Tainting (Rea.Dy. Data
Technology) that represents a completely innovative approach.
In the following paragraph we describe the DOMinator Pro technology and we explain
why this represents nowadays the state of the art in finding DOM XSS vulnerabilities in
your site.
6
DOMinator [https://github.com/wisec/DOMinator]
3.2.3 Architecture
The tool is based on a modified version of the latest Firefox browser, for supporting Ajax
and HTML 5 specifications including ECMA scripting and several new standards.
In addition to this part of the engine, called Tainting Engine, the tool uses a proprietary
Firefox extension that is capable of interfacing itself with Firebug (Javascript debugger).
This proprietary extension is DOMinator Pro.
In the following picture you can see a schema of the Architecture:
Suddenly looking at the main panel you see the following alerts:
From the previous screenshot the very interesting information is that you got an HTML
Injection (e.g. Cross Site Scripting) from the location.href (e.g. the URL).
Our job is done: HTML injection vulnerability that is coming from a user supplied input
location.href (URL).
Now it’s important to communicate to the Security testers:
the exact location of the issue:
http://www.vulnerablewebsite.com/webpage.aspx?menuid=3
The steps needed for reproducing the alert (e.g. Browsing to the main menu,
clicking About tab)
Hint: Selenium and iMacros tools can help to automate the steps, by recording the
sequence of the actions.
For more information:
https://addons.mozilla.org/en-US/firefox/addon/imacros-for-firefox/
http://seleniumhq.org/
Source history is a simplified call stack that shows the content of controllable strings.
Location.href can be controlled and the value is showed up in light green, after this string
is concatenated with another string by left and by right.
As it is possible to see from the above picture, it’s also possible to check if there are
validator functions in place by injecting HTML patterns after the # (hash); in this case I
Note: Url location is default urlencoded by firefox, and that’s why firefox is not affected
by this particular vulnerability. Chrome implements a DOMXSS filter that blocks this basic
attack.
The full exploit takes into consideration also that the original pattern was inside an
<iframe> tag attribute.
Now developers should activate the Stacktrace box and the Javascript Pretty Printer Icon
( ) as shown in the pictures below:
Important Note: Thanks to DOMinator Pro Browser emulation feature we can mimic
different browser insecure behaviors. This permits to show developers the vulnerability
inside DOMinator Pro/Firefox, even if the previous exploit works only under Internet
Explorer.
The Call Stack interactively shows where the vulnerability is with the correct line. It is
possible to see “document.location.href” is not escaped properly.
It’s very important to output encode the value before it is displayed.
Correct fixing at line 116:
Use the “encodeURIComponent()” function.
encodeURIComponent(document.location.href) If browser is Internet Explorer,
Chrome or Safari.
Since Tooltip Suggestions are very often based on a remote web service (i.e. a cloud
dictionary service) DOMinator Pro takes a couple of seconds to analyse the page
behavior.
By this reason the user needs to inject some patterns inside it, wait a bit longer while
looking at the vulnerability tab if any alert appear.
As shown in the previous picture we suddenly found a couple of very interesting Alerts.
The “innerHTML” method is in fact very similar to the previous “Document.write”
method and leads to a HTML Injection vulnerability. In this case the source is a
“INPUTElement.value” that represent the TextBox control (where we inserted the
“question”).
Lesson learned
Do not interact with elements too fast. A bunch of seconds are needed for a
complete javascript analysis.
Describe correctly the passages needed to reproduce the Alert. E.g. Open
DOMinator, go to main page, Insert some text… Wait 2 seconds
The information comes from the “INPUTElement.value” (Textbox) and flows into an
HTML String assigned to the “UL.innerHTML” property
As you can see from the figure, there are several REPLACE operations that represent a
sequence of validation steps. However these are quite ineffective since our special chars
<>’” remain in the final string and are not stripped away.
By supplying now the correct exploit it is possible to turn the vulnerability into a reflected
DOM cross site scripting attack:
Standard HTML Injection Payload: <img/src=”x”/onerror=”alert(1)”/>
As mentioned, because of the bad usage of input filters, our standard HTML injection
payload for DOMXss worked nicely.
Lesson Learned:
DOMinator “Source History” displays REPLACE and ENCODING operations and
therefore it permits to check if they are good enough for defending the code from
attacks.
Steps to reproduce the exploit issue may not be trivial; these steps and the
considerations attached should be properly explained to the developers for a
correct fix.
Example of report to the developers:
o Browse to the main site, click in the search textbox,
o start writing the following payload: <img/src=”x”/onerror=”alert(1)” until
the popup appears.
o The problem is due to a bad usage of filters since dangerous characters are
not filtered.
By browsing a website and/or by using also the fuzzer you may step into DOMinator
interface showing the following alerts:
Lesson learned:
DOMXss can be triggered without injecting HTML into the browser DOM.
Location.search
Location
As stated above anything that come after ? (Question Mark) is sent to the browser
location.
By supplying now the correct exploit it is possible to turn the vulnerability into a reflected
DOM cross site scripting attack:
Standard URl Redirection Payload: javascript:alert(1)
Full Exploit: http://www.vulnerablewebsite.com/webpage.aspx?
javascript:alert(1)
The interested reader may find useful the following real case example:
http://blog.mindedsecurity.com/2010/09/twitter-domxss-wrong-fix-and-
something.html
Why this construct is vulnerable? Because the window.location assignment will overwrite
the full URL including the protocol used. An attacker by manipulating the URL parameters
in this case can set a different and dangerous protocol such as javascript: for the current
location.