Is the payload for DOM based XSS defined to originate from only inside the browser or even outside of it

I have read in multiple places contradictory views on what might be considered a DOM based XSS. It seems that the original definition says that it is a form of XSS where the payload originates exclusively from inside the browser, but some people also view it as a form of XSS where the payload may not necessarily originate from inside the browser, but is used to modify the DOM.

The second view is what confuses me. What exactly does it mean that the payload is used to modify the DOM? The OWASP page describing DOM XSS , gives an example which, to me seems to be the same as reflected XSS.

It says:

A DOM Based XSS attack against this page can be accomplished by sending the following URL to a victim: http://www.some.site/page.html?default=<script>alert(document.cookie)</script>. When the victim clicks on this link, the browser sends a request for: /page.html?default=<script>alert(document.cookie)</script>. The server responds with the page containing the above Javascript code.

The original Javascript code simply echoes it into the page (DOM) at runtime. The browser then renders the resulting page and executes the attacker’s script: alert(document.cookie)

Since the payload is going from the victim's browser to the server and coming back to the browser, how is this not reflected XSS instead?

Should I interpret this as Reflected XSS means being able to injecting <script> tags in an HTML context, and DOM based XSS means being able to inject payload inside an already existing <script>?

Replay

DOM based XSS vs Reflected XSS

Should I interpret this as Reflected XSS means being able to injecting <script> tags in an HTML context, and DOM based XSS means being able to inject payload inside an already existing <script>?

No.

Reflected XSS means that your injected payload is reflected into the answer delivered by the server and executed by the browser (it doesn't matter where the payload is inserted, as long as it is interpreted by the browser).

With DOM based XSS, the payload may or may not be delivered in the reply of the server, but it will not be executed by the browser as-is. Instead, the JavaScript code delivered by the server will take it, and insert it into the DOM, thus leading to its execution.

DOM based XSS and Server Interaction

Since the payload is going from the victim's browser to the server and coming back to the browser, how is this not reflected XSS instead?

Because the fact that it goes to the server and back is not relevant for the attack.

What is relevant for the attack is that the JavaScript delivered by the server reads out the URL and inserts it into the DOM, thus executing the injected code.

If you keep reading, OWASP also describes this:

The server responds with the page containing the above Javascript code. The browser creates a DOM object for the page, in which the document.location object contains the string:

http://www.some.site/page.html?default=<script>alert(document.cookie)</script>

The original Javascript code in the page does not expect the default parameter to contain HTML markup, and as such it simply echoes it into the page (DOM) at runtime.
[...]
In the example above, while the payload was not embedded by the server in the HTTP response, it still arrived at the server as part of an HTTP request, and thus the attack could be detected at the server side.

So OWASP also specifically states that a DOM based attack can go to the server and back.

Category: xss Time: 2016-07-31 Views: 0

Related post

  • Classifying Reflected and DOM-based XSS 2015-03-31

    Having referenced Difference between DOM & Reflected XSS , I observed that certain attacks could be both DOM-based and Reflected XSS. I wish to find out if my understand is accurate, or they should be mutually exclusive. I have some examples that I h

  • HOW is the malicious URL/payload is delivered to the user on a DOM based XSS attack? 2015-10-27

    Testing for DOM based XSS at OWASP reads: The first hypothetical example uses the following client side code: <script> document.write("Site is at: " + document.location.href + "."); </script> An attacker may append #alert('

  • How can I prevent page breaks from occuring inside the body of a function? 2014-09-13

    Is it possible to tell the listings package not to insert page breaks inside the body of a function? For instance, void foo() { // Do not insert page break here } //But here is fine An ideal solution let the braces create paragraphs. A long function

  • can someone break my anti dom based xss from the window location? 2013-03-30

    can someone break my anti dom based xss from the window location ? function parseparameters() { var href = window.location.href; var id = href.indexOf('#'); if (id < 0) { throw new Error("Error"); } var hash = href.substring(id + 1); var spsp

  • A DOM-based XSS is a vulnerability in the application or in the browser? 2013-07-01

    As the exploit isn't sent to the server (using #payload), can I say that a DOM XSS is a vulnerability in the browser rather than the web application? --------------Solutions------------- As the application provides the logic that results in unexpecte

  • DOM Based XSS attacks: what is the most dangerous example? 2013-03-10

    I knew that XSS attacks ("non-persistent" and "persistent") can hijack user session, deface websites, conduct phishing attack, etc. However, I can't understand what is dangerous of DOM Based XSS if its not able to (Hijack session, clic

  • Is this reflected or DOM-based XSS? 2015-06-01

    Scenario: Server-side script takes URL parameter parameter1 and writes it without encoding into cookie cookie1. Then regular HTML page containing client-side script is returned. Client-side script, when user triggers an action, takes a value stored i

  • What is DOM based XSS? And How to prevent it? 2014-09-22

    This question already has an answer here: What is the difference between ordinary XSS and Dom XSS vulnerabilities? [duplicate] 2 answers I know very well about the classic XSS vulnerabilities such as reflected & stored XSS. I have read a lot about DO

  • Limiting latter dom-based XSS when setting document.title 2015-02-20

    Given some JavaScript which modifies the page's title by taking in variable data document.title = someVariable I am looking to address dom based XSS while keeping the title fairly readable. Therefore, doing something like escape() or encodeURI() will

  • Dom based Xss Query - location.hash 2015-06-22

    I was just looking at Dom based xss and wondering if hash value is written to a variable in javascript context can lead to Cross site scripting. The code looks something like this: <script> var myhash=window.location.hash; </script> Is the abo

  • Is this code javascript vulnerable to DOM based XSS? 2015-07-30

    Code : <script> document.theform.reference.onchange = function(){ var id = document.theform.reference.selectedIndex; var url = document.theform.reference[id].value; window.location.href = url; } </script> Basically value of the form is redirec

  • some questions about DOM based XSS 2013-03-28

    Is it possible to do a DOM based xss attack with window.location.protocol? How can we use dom based xss with document.title? How can we bypass the escape javascript function if it is used? thank you --------------Solutions------------- No I'm not sur

  • How to Address DOM-based XSS from Security Review 2016-02-16

    I have a remoting function on my page that takes a list of contacts, and displays them in on Lightning Design styled page. It works fine, but the final innerHTML statement gets flagged in security review as being a DOM based XSS vulnerability. I can'

  • Global variable, visible only inside the module 2012-09-17

    I have several modules, that implement very close functionality. And the SQL requests are almost the same, except for the table name. So I wanted to create a global variable, inside each module: $GLOBALS['module_name'] = __FILE__; $regexp = "/.*"

  • Is there a windows sidebar widget that shows temperature from sensors inside the computer? 2009-08-20

    Is there a windows vista sidebar widget that shows temperature from sensors inside the computer? I have found Speedfan. Would like something that runs as a sidebar widget. --------------Solutions------------- SpeedFan Temperature Monitor This is a Ya

  • Show Previous/Next Posts navigation only inside the same category 2012-04-08

    Is it possible to force previous/next navigation to browse through the posts (back and forth) that are only inside the same category (and to exclude other categories)? --------------Solutions------------- The functions accept an $in_same_cat argument

  • Principal DOM Based XSS detect using python 2014-10-05

    I am working for a project make a XSS scan tool using python. I have a sample url: http://www.foo.bar/index.php?ids=111 I've found that it has a vulnerability by http://www.foo.bar/index.php?ids="><SCrIpT>alert('XSS')</ScRiPt> A basic

  • How good is the support for NUT-based UPSs against APC? 2011-09-16

    My choice of UPS is this -- CyberPower CP900EPFCLCD or APC Smart-UPS 750VA (SMT750I). I intend to connect UPS with USB for data transfer, not Ethernet. According to UPS HowTo http://tldp.org/HOWTO/html_single/UPS-HOWTO/, the first one is adviced to r

  • How do I configure the driver for eth0 so I can use a kickstart file over the network? 2013-07-23

    I am trying to use a kickstart file hosted over the network to install Oracle Linux 5.8 (equivalent to RHEL 5.8 I believe). I am using the following at the boot prompt: linux ks=http://1.2.3.4/my.ks ksdevice=eth0 ip=dhcp The problem is that at this p

iOS development

Android development

Python development

JAVA development

Development language

PHP development

Ruby development

search

Front-end development

Database

development tools

Open Platform

Javascript development

.NET development

cloud computing

server

Copyright (C) avrocks.com, All Rights Reserved.

processed in 9.561 (s). 13 q(s)