Ethical Hacking and Penetration Testing Guide
◾ Ethical Hacking and Penetration Testing Guide Blind XSS
Yüklə 22,44 Mb. Pdf görüntüsü
|
- Bu səhifədəki naviqasiya:
- DOM-Based XSS
- Detecting DOM-Based XSS
|
378
◾ Ethical Hacking and Penetration Testing Guide Blind XSS Blind XSS is basically a form of a stored XSS, where the attacker doesn’t really know where his payload would actually be executed. The attacker sends a series of malicious JavaScripts and waits for the results. Log-in forms, log viewers, etc., are the places where blind XSS can be found. For example, an attacker might inject a payload and if the log file of the administrator does not sanitize the input, as he views the log file the JavaScript would get executed. DOM-Based XSS DOM-based XSS vulnerabilities are similar to traditional reflected/stored XSS vulnerabilities, the only difference being that they occur on the client side. The lack of filtering in client side scripts is the primary cause of DOM-based XSS vulnerabilities. DOM XSS has been known from a very long time. It was introduced by Amiet Klein in the year 2005; however, since the advent of HTML 5 code, we have noticed a major increase in client- side JavaScript-rich applications like AJAX for providing more features. The heavy usage of JavaScript often introduces unsafe sinks (innerHTML, document.write, and settimeout), etc. A sink is a functionality in JavaScript that is used to create HTML. When an input taken from a JavaScript source is executed via a vulnerable sink, it would result in a DOM- based XSS vulnerability. Detecting DOM-Based XSS To detect DOM XSS vulnerability, we need to manually inspect the JavaScript to identify all the sources and sinks. By JavaScript sources, I mean anything from where the input is passed or from where it is used taken. Some of the well-known sources that you would encounter are document.location, document. referer, document.cookie, window.name, and location.hash. Once we have identified all the sources and sinks, we would now need to trace if a source reaches a particular execution sink . Here is a list of some of the common sources/sinks that you would encounter most often. Sources (Inputs) ◾ document.URL ◾ document.location.hash ◾ document.location.href ◾ document.location.pathname ◾ document.referrer ◾ window.name Sinks (Creating/Modifying HTML Elements) ◾ createelement ◾ innerHTML ◾ document.write Web Hacking ◾ 379 ◾ document.writeln ◾ eval function ◾ settimeout function To learn more about JavaScript sources and sinks, refer to the following link to the “DOM-based XSS” wiki, which contains the best possible list for all JavaScript sources/sinks and some valuable information about DOM-based XSS. ◾ http://code.google.com/p/domxsswiki/ Let’s now take a look at some examples of DOM XSS vulnerabilities that would help you under- stand how the attack works. Yüklə 22,44 Mb. Dostları ilə paylaş:
|