Testing for DOM-Based XSS....input requested

I got into to this discussion yesterday with someone about DOM-Based
XSS. It got me thinking about how you could programmatically test for
it.

I'm really having a tough time with it. I'm hoping someone can shed some
light on it, and hopefully if I can understand it better I can write
some sort of check to actually test for it.

According to Wikipedia:
=======================================================================
With DOM-based cross-site scripting vulnerabilities, the problem exists
within a page's client-side script itself. For instance, if a piece of
JavaScript accesses a URL request parameter and uses this information to
write some HTML to its own page, and this information is not encoded
using HTML entities, an XSS hole will likely be present, since this
written data will be re-interpreted by browsers as HTML which could
include additional client-side script.
=======================================================================

So does that mean I'd have to monitor all GET/POST requests made to the
server, and their related responses to see if a string from the REQUEST
could be found in the response?

Does anyone have any code snippets I could look at, or at least some
conceptual guidance they can give me?

Thanks in advance,

--
Joe McCray
Toll Free:  1-866-892-2132
Email:      joe@...
Web:        https://www.learnsecurityonline.com


Learn Security Online, Inc.

* Security Games        * Simulators
* Challenge Servers     * Courses
* Hacking Competitions  * Hacklab Access

"The only thing worse than training good employees and losing them
is NOT training your employees and keeping them."

        - Zig Ziglar


------------------------------------------------------------------------
This list is sponsored by: Cenzic

Top 5 Common Mistakes in
Securing Web Applications
Get 45 Min Video and PPT Slides

www.cenzic.com/landing/securityfocus/hackinar
------------------------------------------------------------------------

Hi,
check this http://www.securiteam.com/securityreviews/5MP080KGKW.html

 ===
Christian Eric Edjenguele
IT Security Software Developer & Researcher
tel. +39 3408580513
View my linkedin profile: http://www.linkedin.com/in/edjenguele
My blog: http://www.edjenguele.blogspot.com
--
Management, Developers, Security Professionals – can only result in one thing…… better security.
http://www.owasp.org/index.php/OWASP_NYC_AppSec_2008_Conference Sept 22nd-25th 2008



----- Messaggio originale -----
Da: Joseph McCray <joe@...>
A: pen-test <pen-test@...>
Inviato: Sabato 23 agosto 2008, 23:32:36
Oggetto: Testing for DOM-Based XSS....input requested

I got into to this discussion yesterday with someone about DOM-Based
XSS. It got me thinking about how you could programmatically test for
it.

I'm really having a tough time with it. I'm hoping someone can shed some
light on it, and hopefully if I can understand it better I can write
some sort of check to actually test for it.

According to Wikipedia:
=======================================================================
With DOM-based cross-site scripting vulnerabilities, the problem exists
within a page's client-side script itself. For instance, if a piece of
JavaScript accesses a URL request parameter and uses this information to
write some HTML to its own page, and this information is not encoded
using HTML entities, an XSS hole will likely be present, since this
written data will be re-interpreted by browsers as HTML which could
include additional client-side script.
=======================================================================

So does that mean I'd have to monitor all GET/POST requests made to the
server, and their related responses to see if a string from the REQUEST
could be found in the response?

Does anyone have any code snippets I could look at, or at least some
conceptual guidance they can give me?

Thanks in advance,

--
Joe McCray
Toll Free:  1-866-892-2132
Email:      joe@...
Web:        https://www.learnsecurityonline.com


Learn Security Online, Inc.

* Security Games        * Simulators
* Challenge Servers    * Courses
* Hacking Competitions  * Hacklab Access

"The only thing worse than training good employees and losing them
is NOT training your employees and keeping them."

        - Zig Ziglar


------------------------------------------------------------------------
This list is sponsored by: Cenzic

Top 5 Common Mistakes in
Securing Web Applications
Get 45 Min Video and PPT Slides

www.cenzic.com/landing/securityfocus/hackinar
------------------------------------------------------------------------

__________________________________________________
Do You Yahoo!?
Poco spazio e tanto spam? Yahoo! Mail ti protegge dallo spam e ti da tanto spazio gratuito per i tuoi file e i messaggi
http://mail.yahoo.it

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Top 5 Common Mistakes in
Securing Web Applications
Get 45 Min Video and PPT Slides

www.cenzic.com/landing/securityfocus/hackinar
------------------------------------------------------------------------

this is the orignal article: http://www.webappsec.org/projects/articles/071105.shtml

 ===
Christian Eric Edjenguele
IT Security Software Developer & Researcher
tel. +39 3408580513
View my linkedin profile: http://www.linkedin.com/in/edjenguele
My blog: http://www.edjenguele.blogspot.com
--
Management, Developers, Security Professionals – can only result in one thing…… better security.
http://www.owasp.org/index.php/OWASP_NYC_AppSec_2008_Conference Sept 22nd-25th 2008



----- Messaggio originale -----
Da: Joseph McCray <joe@...>
A: pen-test <pen-test@...>
Inviato: Sabato 23 agosto 2008, 23:32:36
Oggetto: Testing for DOM-Based XSS....input requested

I got into to this discussion yesterday with someone about DOM-Based
XSS. It got me thinking about how you could programmatically test for
it.

I'm really having a tough time with it. I'm hoping someone can shed some
light on it, and hopefully if I can understand it better I can write
some sort of check to actually test for it.

According to Wikipedia:
=======================================================================
With DOM-based cross-site scripting vulnerabilities, the problem exists
within a page's client-side script itself. For instance, if a piece of
JavaScript accesses a URL request parameter and uses this information to
write some HTML to its own page, and this information is not encoded
using HTML entities, an XSS hole will likely be present, since this
written data will be re-interpreted by browsers as HTML which could
include additional client-side script.
=======================================================================

So does that mean I'd have to monitor all GET/POST requests made to the
server, and their related responses to see if a string from the REQUEST
could be found in the response?

Does anyone have any code snippets I could look at, or at least some
conceptual guidance they can give me?

Thanks in advance,

--
Joe McCray
Toll Free:  1-866-892-2132
Email:      joe@...
Web:        https://www.learnsecurityonline.com


Learn Security Online, Inc.

* Security Games        * Simulators
* Challenge Servers    * Courses
* Hacking Competitions  * Hacklab Access

"The only thing worse than training good employees and losing them
is NOT training your employees and keeping them."

        - Zig Ziglar


------------------------------------------------------------------------
This list is sponsored by: Cenzic

Top 5 Common Mistakes in
Securing Web Applications
Get 45 Min Video and PPT Slides

www.cenzic.com/landing/securityfocus/hackinar
------------------------------------------------------------------------

__________________________________________________
Do You Yahoo!?
Poco spazio e tanto spam? Yahoo! Mail ti protegge dallo spam e ti da tanto spazio gratuito per i tuoi file e i messaggi
http://mail.yahoo.it

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Top 5 Common Mistakes in
Securing Web Applications
Get 45 Min Video and PPT Slides

www.cenzic.com/landing/securityfocus/hackinar
------------------------------------------------------------------------

No.  The whole point of DOM-based XSS issues is that the problem exists
in client-side code.  The server isn't vulnerable in the sense that it
isn't executing code that injects user-supplied content.  Instead, code
provided by the website to the user is executing in the user's browser
and is injecting into the page, which may be completely undetectable on
the server side.

In order to test if an input string is written to a page unencoded,
you'd need a full JavaScript (at least) interpreter which provided you
with an interpreted version of a resulting page after document.write()s,
eval()s, and similar injection points had finished executing.

> Does anyone have any code snippets I could look at, or at least some
> conceptual guidance they can give me?

Off the top of my head (totally untested), here's a vulnerable page
which won't send the injection string to the server:

<script>
 document.write(document.location.hash);
</script>


HTH,
tim

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Top 5 Common Mistakes in
Securing Web Applications
Get 45 Min Video and PPT Slides

www.cenzic.com/landing/securityfocus/hackinar
------------------------------------------------------------------------

Amit Klein wrote the 1st paper on this XSS type
located on The Web Application Security Consortium website.

DOM Based Cross Site Scripting or XSS of the Third Kind
http://www.webappsec.org/projects/articles/071105.shtml

He discusses common implementation mistakes/things to look for.

Regards,
- Robert


------------------------------------------------------------------------
This list is sponsored by: Cenzic

Top 5 Common Mistakes in
Securing Web Applications
Get 45 Min Video and PPT Slides

www.cenzic.com/landing/securityfocus/hackinar
------------------------------------------------------------------------