Detection of DOM-based XSS can be challenging. This is cause by the following reasons.
Black-box traditional methods detection of reflected or stored XSS needs to be preformed. However this approach will not work for DOM-based XSS vulnerabilities.
Taint analysis needs to be incorporated into static analysis engine. Taint Analysis attempts to identify variables that have been 'tainted' with user controllable input and traces them to possible vulnerable functions also known as a 'sink'. If the tainted variable gets passed to a sink without first being sanitized it is flagged as vulnerability.
Explanation: An attacker can send a link such as “http://hostname/welcome.html#name=<script>alert(1)</script> to the victim resulting in the victim’s browser executing the injected client-side code.
# var url = document.location.url; # var loginIdx = url.indexOf(‘login’); # var loginSuffix = url.substring(loginIdx); # url = ‘http://mySite/html/sso/’ + loginSuffix; # document.location.url = url;
Line 5 may be a false-positive and prove to be safe code or it may be open to “Open redirect attack” with taint analysis the static analysis should be able to correctly identified if this vulnerability exists. If static analysis relies only on black-box component this code will have flagged as vulnerable requiring the code reviewer to do a complete source to sink review.
Additional examples and potential security risks
Source: document.url Sink: document.write() Results: document.write(“<script>malicious code</script>
Cybercriminal may controlled the following DOM elements including…document.url,document.location,document.referrer,window.location
Source: document.location Sink: windon.location.href Results: windon.location.href = http://www.BadGuysSite; - Client sode open redirect.
Source: document.url Storage: windows.localstorage.name Sink: elem.innerHTML Results: elem.innerHTML = <value> =Stored DOM-based Cross-site Scripting
eval() is prone to security threats, and thus not recommended to be used.
Consider these points:
- Code passed to the eval is executed with the privileges of the executer. So, if the code passed can be affected by some malicious intentions, it leads to running malicious code in a user's machine with your website's privileges.
- A malicious code can understand the scope with which the code passed to the eval was called.
- You also shouldn’t use eval() or new Function() to parse JSON data.
eval('alert("Query String ' + unescape(document.location.search) + '");'); eval(untrusted string); Can lead to code injection or client-side open redirect.
- Check for all sorts of XSS DOM Attacks, never trust user data, know your source and sinks