Detection of DOM-based XSS can be challenging. This is cause by the following reasons.
Black-box traditional methods detection of reflected or stored XSS needs to be preformed. However this approach will not work for DOM-based XSS vulnerabilities.
Taint analysis needs to be incorporated into static analysis engine. Taint Analysis attempts to identify variables that have been 'tainted' with user controllable input and traces them to possible vulnerable functions also known as a 'sink'. If the tainted variable gets passed to a sink without first being sanitized it is flagged as vulnerability.
Explanation: An attacker can send a link such as “http://hostname/welcome.html#name=<script>alert(1)</script> to the victim resulting in the victim’s browser executing the injected client-side code.
# var url = document.location.url; # var loginIdx = url.indexOf(‘login’); # var loginSuffix = url.substring(loginIdx); # url = ‘http://mySite/html/sso/’ + loginSuffix; # document.location.url = url;
Line 5 may be a false-positive and prove to be safe code or it may be open to “Open redirect attack” with taint analysis the static analysis should be able to correctly identified if this vulnerability exists. If static analysis relies only on black-box component this code will have flagged as vulnerable requiring the code reviewer to do a complete source to sink review.
- Check for all sorts of XSS DOM Attacks