Friday
May042007
DOM Injection Attacks
Friday, May 4, 2007 at 11:53AM Besides the classic Cross-Site Scripting where the playload moves to the server and back, there is another form of user agent injection attacks, which does not depend on the payload to be embedded in the response, but rather on thepayload in the Document Object Model (DOM). The DOM is the standard object model in browsers to represent HTML documents and meta data in an object-oriented way, whichis provided to the JavaScript code. The most important object is the document object, which not only includes all elements from the HTML document, but also meta-objects,such as URL, URLUnencoded, location (also in window.location) or referrer, which contain the complete URL of the current document or the referring one, respectively. There aremany web applications that access the DOM, and a few parse the meta-objects mentioned above, which makes them vulnerable to DOM-based injection, as in http://www.webappsec.org/projects/articles/071105.html. Here is an example of avulnerable script, which is supposed to extract the user's name from the document's URL (by searching for "name=" and returning the string after it):
Hello <script> var pos = document.URL.indexOf("name=")+5;
document.write(document.URL.substring(pos,document.URL.length));
</script>
Do not think that everyone enters his real name like Joe or Alice, take a look at this user name:
http://www.domain.com/welcome?name=
<script>alert(document.cookie)</script>
And if the server filters the parameter name, then xyzname will not be filtered, but the script in the document will use the first occurence:
http://www.domain.com/welcome?xyzname=
<script>alert(document.cookie)</script>&name=Alice
<script>alert(document.cookie)</script>&name=Alice
Notice the number sign (#) here, it is usually used to refer to a part of a document and never sent to the server, so any server-side checks will have no effect, but the local script will use the malicious code nevertheless.
http://www.domain.com/welcome#name=
<script>alert(document.cookie)</script>
<script>alert(document.cookie)</script>
To be continued ...
Reader Comments (349)
Thank you again. Frankly I had only heard of this type of attack recently and find it quite intriguing.
[...] If you're new here, you may want to subscribe to my RSS feed. Thanks for visiting!http://www.rorsecurity.info/2007/05/04/dom-injection-attacks/ [...]
Lovely. Made my day (which is saying something)
What a nice site, been surfing on it for the whole night and day and i neva got bored for a single minute. Keep up your good work and all of the best in everything you do! :-)
This is a great web site. I have some great web pages myself if you are interested to share. But I should not go on about my site too much, that is not fair, right?
Very exceptional pieces of information. Very nice webpage though. I applaud
I just want you to know that I think you did a terrific job on this websight.
Howdy! Great site. Great content. Great! I can recommend this site to others!
Ich finde Ihre Homepage sehr gut und fundiert. Die Informationen helfen mir bei einer Diplomarbeit für den Bereich der Medizinischen Dokumentation vielen Dank und weiter so.
perfect site !!!!!!!! Perfect piece of work fellows !!!!!!!
This is such a wonderful and informative way to reach others. I Will be more than glad to share this site
I like your website I will share this with friends
Nice website. Great online affiliate program. Thank you.
I dont even remember how i reached your site but it doesnt matter, cause i'm so happy i found it, it really made me think, keep up the good work
Thank you for opening a wonderfully new sight..I wish you the best of luck with your new venture.
Thank you for the great web site - a true resource, and one many people clearly enjoy
Lovely to see such a wonderful site. Thank you
Just stopped by to visit and got the crunch on your stuff in here - bravo!
interesting site
Hi there, I must say that you have done a wonderful job on your site and I thoroughly enjoyed my stay here, I thank you for sharing it with me…