Tuesday, August 2, 2011

WebGoat - DOM Based XSS

Three types of Cross Site Scripting (XSS) Attack:


Stage one solution:
1, Check source code to find javascript or use firebug and choose “Script” and “DOMXSS.js”. We can find the following java script code:

2, As we can see that there is no validation for user’s input. That means we can insert anything as parameter “name”. In this case, we insert:

"<img src="" />"

3, Then we will get the following result (deface the page with the picture):

Stage two solution:
1, We use image “onerror” event attribute to trigger an alert which is used to show cookie information. In this case, we insert:
"<img src="xxx.gif" onerror="alert(document.cookie)" />"
Where “xxx.gif” is whatever a non-exist image file, which is used to trigger an error event.

3, Then we will get the following result (alert is pop up):


Stage five (Remedy):

1, Using escapeHTML function defined in “escape.js” to remedy this vulnerability. The escapeHTML function’s content is:
function escapeHTML (str) {
var div = document.createElement('div');     // create a new div element
var text = document.createTextNode(str);   // create a new text node, put “str” in as text
return div.innerHTML;

2, Modify the DOMXSS.js file to use escapeHTML function.
function displayGreeting(name) {
if (name != ''){
document.getElementById("greeting").innerHTML="Hello, " + escapeHTML(name)+ "!";

No comments:

Post a Comment