OWASP ModSecurity Securing WebGoat Section4 Sublesson 03.1

3.1 LAB: DOM-Based cross-site scripting

Lesson overview
Refer to the zip file with the WebGoat lesson overviews. See Appendix A for more information.

Lesson solution
Refer to the zip file with the WebGoat lesson solutions. See Appendix A for more information.

Strategy
This WebGoat lesson demonstrates DOM-Based cross-site scripting. The vulnerability in this WebGoat lesson is to enter malicious code in the "Enter your name" text box like: 

The source code snippet containing the vulnerability is:    Enter your name:  

The 'displayGreeting' function is in the file 'DOMXSS.js'.

The solution for the lesson is to modify WebGoat's source code and HTML-escape 'person.value' with a function 'escapeHTML' function which is in the file 'escape.js'.

Implementation
A ModSecurity solution could be to use the blacklist rules for XSS provided by the core ruleset but this has previously been done in other lessons in Section 8: Cross-Site Scripting (XSS).

Instead, our solution will be to replace the 'displayGreeting' function with our own by appending it to the end of the HTML page and calling the 'escapeHTML' function in 'escape.js'. While not practical (an attacker could bypass the new function), replacing an existing Javascript function with a new one will be demonstrated.

The Javascript function:  function displayGreeting(name) { if (name != ''){ document.getElementById("greeting").innerHTML="Hello, " + escapeHTML(name) + "!"; } }

Before placing the function into a ModSecurity rule, test it by intercepting the HTTP response in a web proxy, copy and paste the code after the, then forward the response to the browser.

A phase 2 rule is not necessary; the function can be placed in every HTML page for this lesson.

The phase 4 rule in 'rulefile_03-1_DOM-based-XSS.conf' is: SecRule RESPONSE_CONTENT_TYPE "!^text/html" "phase:4,t:none,allow,nolog"

# Here check if session variable set; if so, then substitute the 'displayGreeting' function SecRule SESSION:LESSON031 "@eq 1" "phase:4,t:none,log,auditlog,pass,msg:'appending javascript in rulefile_03-1_DOM-based-XSS.conf', append:'function displayGreeting(name) {if (name != \"\"){document.getElementById(\"greeting\").innerHTML=\"Hello, \" + escapeHTML(name) + \"!\";}} '"

When malicious input is entered, it is properly escaped and displayed on the HTML page: (screenshot lesson03.1_DOM-based-XSS_solved.jpg)

Comment

 * This lesson demonstrates replacing an existing Javascript function with a new one.