Sabtu, 17 November 2007

DOM Based XSS

I was reading Amit Klein's 2005 article on DOM Based XSS and he actually mentioned a few things to look out for in DOM XSS. In that article, he gave us an insight look of how to look for potential XSS in the DOM and why sanitizing is important on the client side.

The full article is here: http://www.webappsec.org/projects/articles/071105.html

Below is a snippet:

2. Analyzing and hardening the client side (Javascript) code. Reference to DOM objects that may be influenced by the user (attacker) should be inspected, including (but not limited to):

document.URL
document.URLUnencoded
document.location (and many of its properties)
document.referrer
window.location (and many of its properties)
Note that a document object property or a window object property may be referenced syntactically in many ways - explicitly (e.g. window.location), implicitly (e.g. location), or via obtaining a handle to a window and using it (e.g. handle_to_some_window.location).

Special attention should be given to scenarios wherein the DOM is modified, either explicitly or potentially, either via raw access to the HTML or via access to the DOM itself, e.g. (by no means an exhaustive list, there are probably various browser extensions):

Write raw HTML, e.g.:
document.write(…)
document.writeln(…)
document.body.innerHtml=…
Directly modifying the DOM (including DHTML events), e.g.:
document.forms[0].action=… (and various other collections)
document.attachEvent(…)
document.create…(…)
document.execCommand(…)
document.body. … (accessing the DOM through the body object)
window.attachEvent(…)
Replacing the document URL, e.g.:
document.location=… (and assigning to location’s href, host and hostname)
document.location.hostname=…
document.location.replace(…)
document.location.assign(…)
document.URL=…
window.navigate(…)
Opening/modifying a window, e.g.:
document.open(…)
window.open(…)
window.location.href=… (and assigning to location’s href, host and hostname)
Directly executing script, e.g.:
eval(…)
window.execScript(…)
window.setInterval(…)
window.setTimeout(…)

The Hacka Man

0 komentar:

Posting Komentar