DOM-Based XSS

The Document Object Model (DOM) presents an interesting problem from a security standpoint.

It allows the content of a web page to be dynamically modified, but that can abused by attackers during a malicious code injection.

XSS is a type of malicious code injection that can occur when unvalidated user input is used directly to modify the content of a page on the client side

Solution:

Inspect element of the text field input

We can see that input field is using a JavaScript function named displayGreeting, which is listed in the script tag above.

Navigate to that link to see the JS source code.

Here we see…

function displayGreeting(name) {

if (name != ''){

document.getElementById("greeting").innerHTML="Hello, " + name+ "!";

}

The user is inputing directly into the JS code.

Because of this, the user can simply type " in the input field to close the string and then insert malicious JavaScript code directly onto the server.

In this case, we are inserting a .jpg file onto the webpage.

e.g. we will enter..

"<IMG src=images/logos/owasp.jpg>

Into the form field

PreviousPhishing with XSS NextStored XSS Attacks

Last updated 1 year ago