We all know what Cross Site Scripting (XSS) is, right? It's that
vulnerability wherein one sends malicious data (typically HTML stuff
with Javascript code in it) that is echoed back later by the
application in an HTML context of some sort, and the Javascript code
gets executed. Well, wrong. There's a kind of XSS which does not
match this description, at least not in some fundamental properties.
The XSS attacks described above are either "non-persistent"/
"reflected" (i.e. the malicious data is embedded in the page that is
returned to the browser immediately following the request) or
"persistent"/"stored" (in which case the malicious data is returned
at some later time). But there's also a third kind of XSS attacks -
the ones that do not rely on sending the malicious data to the
server in the first place! While this seems almost contradictory to
the definition or to common sense, there are, in fact, two well
described examples for such attacks. This technical note discusses
the third kind of XSS, dubbed "DOM Based XSS". No claim is made to
novelty in the attacks themselves, of course, but rather, the
innovation in this write-up is about noticing that these belong to a
different flavor, and that flavor is interesting and important.
Application developers and owners need to understand DOM Based XSS,
as it represents a threat to the web application, which has
different preconditions than standard XSS. As such, there are many
web applications on the Internet that are vulnerable to DOM Based
XSS, yet when tested for (standard) XSS, are demonstrated to be "not
vulnerable". Developers and site maintainers (and auditors) need to
familiarize themselves with techniques to detect DOM Based XSS
vulnerabilities, as well as with techniques to defend against them,
both therewhich are different than the ones applicable for standard
XSS. [Contineu]
Powered by ScribeFire.
0 comments:
Post a Comment