DOM XSS
Last updated
Last updated
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Vikosi vya DOM vinatokea wakati data kutoka kwa vyanzo vinavyodhibitiwa na mshambuliaji (kama location.search, document.referrer, au document.cookie) inahamishwa kwa usalama kwenda sinks. Sinks ni kazi au vitu (mfano, eval(), document.body.innerHTML) ambavyo vinaweza kutekeleza au kuonyesha maudhui hatari ikiwa vitapewa data mbaya.
Vyanzo ni ingizo ambalo linaweza kubadilishwa na washambuliaji, ikiwa ni pamoja na URLs, vidakuzi, na ujumbe wa wavuti.
Sinks ni maeneo hatari ambapo data mbaya inaweza kusababisha madhara, kama vile utekelezaji wa script.
Hatari inatokea wakati data inatiririka kutoka chanzo hadi sink bila uthibitisho au usafi sahihi, ikiruhusu mashambulizi kama XSS.
You can find a more updated list of sources and sinks in https://github.com/wisec/domxsswiki/wiki
Vyanzo vya kawaida:
Common Sinks:
location
eval()
scriptElement.src
add()
location.host
Function() constructor
scriptElement.text
after()
location.hostname
setTimeout()
scriptElement.textContent
append()
location.href
setInterval()
scriptElement.innerText
animate()
location.pathname
setImmediate()
someDOMElement.setAttribute()
insertAfter()
location.search
execCommand()
someDOMElement.search
insertBefore()
location.protocol
execScript()
someDOMElement.text
before()
location.assign()
msSetImmediate()
someDOMElement.textContent
html()
location.replace()
range.createContextualFragment()
someDOMElement.innerText
prepend()
open()
crypto.generateCRMFRequest()
someDOMElement.outerText
replaceAll()
XMLHttpRequest.open()
FileReader.readAsArrayBuffer()
someDOMElement.name
wrap()
XMLHttpRequest.send()
FileReader.readAsBinaryString()
someDOMElement.target
wrapInner()
jQuery.ajax()
FileReader.readAsDataURL()
someDOMElement.method
wrapAll()
$.ajax()
FileReader.readAsText()
someDOMElement.type
has()
XMLHttpRequest.setRequestHeader()
FileReader.root.getFile()
someDOMElement.cssText
init()
XMLHttpRequest.open()
FileReader.root.getFile()
someDOMElement.codebase
index()
jQuery.globalEval()
someDOMElement.href
someDOMElement.outerHTML
$.parseHTML()
localStorage.setItem()
document.evaluate()
document.writeln()
$.parseJSON()
**[**`Denial of Service`**](dom-xss.md#denial-of-service)**
someDOMElement.evaluate()
document.title
requestFileSystem()
document.implementation.createHTMLDocument()
document.cookie
executeSql()
postMessage()
``
``
The innerHTML sink doesn't accept script elements on any modern browser, nor will svg onload events fire. This means you will need to use alternative elements like img or iframe.
This kind of XSS is probably the hardest to find, as you need to look inside the JS code, see if it's using any object whose value you control, and in that case, see if there is any way to abuse it to execute arbitrary JS.
Browser extension to check every data taht reaches a potential sink: https://github.com/kevin-mizu/domloggerpp
From: https://portswigger.net/web-security/dom-based/open-redirection
Open redirect vulnerabilities in the DOM occur when a script writes data, which an attacker can control, into a sink capable of initiating navigation across domains.
It's crucial to understand that executing arbitrary code, such as javascript:alert(1), is possible if you have control over the start of the URL where the redirection occurs.
Sinks:
From: https://portswigger.net/web-security/dom-based/cookie-manipulation
Vikosi vya cookie vinavyotokana na DOM vinatokea wakati script inajumuisha data, ambayo inaweza kudhibitiwa na mshambuliaji, katika thamani ya cookie. Uthibitisho huu unaweza kusababisha tabia isiyotarajiwa ya ukurasa wa wavuti ikiwa cookie itatumika ndani ya tovuti. Zaidi ya hayo, inaweza kutumika kutekeleza shambulio la fixation ya kikao ikiwa cookie inahusishwa na kufuatilia vikao vya watumiaji. Kichimbuko kikuu kinachohusishwa na uthibitisho huu ni:
Sinks:
From: https://portswigger.net/web-security/dom-based/javascript-injection
Vikosi vya kuingiza JavaScript vinavyotokana na DOM vinaundwa wakati script inapoendesha data, ambayo inaweza kudhibitiwa na mshambuliaji, kama msimbo wa JavaScript.
Sinks:
From: https://portswigger.net/web-security/dom-based/document-domain-manipulation
Vulnerabilities za udanganyifu wa document-domain hutokea wakati script inapoweka mali ya document.domain kwa kutumia data ambayo mshambuliaji anaweza kudhibiti.
Mali ya document.domain ina jukumu muhimu katika utekelezaji wa sera ya asili sawa na vivinjari. Wakati kurasa mbili kutoka asili tofauti zinapoweka document.domain yao kwa thamani sawa, zinaweza kuingiliana bila vizuizi. Ingawa vivinjari vinaweka mipaka fulani kwenye thamani zinazoweza kuwekwa kwa document.domain, kuzuia uwekaji wa thamani zisizo na uhusiano kabisa na asili halisi ya ukurasa, kuna visamaha. Kawaida, vivinjari vinaruhusu matumizi ya domeni za mtoto au domeni za mzazi.
Sinks:
From: https://portswigger.net/web-security/dom-based/websocket-url-poisoning
WebSocket-URL poisoning hutokea wakati script inatumia data zinazoweza kudhibitiwa kama URL ya lengo kwa ajili ya muunganisho wa WebSocket.
Sinks:
Mjenzi wa WebSocket unaweza kusababisha udhaifu wa WebSocket-URL poisoning.
From: https://portswigger.net/web-security/dom-based/link-manipulation
Udhaifu wa DOM-based link-manipulation unatokea wakati script inaandika data zinazoweza kudhibitiwa na mshambuliaji kwenye lengo la urambazaji ndani ya ukurasa wa sasa, kama vile kiungo kinachoweza kubofywaji au URL ya kuwasilisha ya fomu.
Sinks:
From: https://portswigger.net/web-security/dom-based/ajax-request-header-manipulation
Vulnerabilities za uendeshaji wa ombi la Ajax zinatokea wakati script inaandika data inayoweza kudhibitiwa na mshambuliaji katika ombi la Ajax ambalo linatolewa kwa kutumia kitu cha XmlHttpRequest.
Sinks:
From: https://portswigger.net/web-security/dom-based/local-file-path-manipulation
Vulnerabilities za usimamizi wa njia za faili za ndani zinatokea wakati script inapopita data inayoweza kudhibitiwa na mshambuliaji kwa API ya usimamizi wa faili kama parameter ya filename. Vulnerability hii inaweza kutumiwa na mshambuliaji kuunda URL ambayo, ikiwa itatembelewa na mtumiaji mwingine, inaweza kusababisha kuvunjika au kuandika faili ya ndani isiyo na mipaka kwenye kivinjari cha mtumiaji.
Sinks:
From: https://portswigger.net/web-security/dom-based/client-side-sql-injection
Vikosi vya SQL-injection upande wa mteja hutokea wakati script inajumuisha data inayoweza kudhibitiwa na mshambuliaji katika ombi la SQL upande wa mteja kwa njia isiyo salama.
Sinks:
From: https://portswigger.net/web-security/dom-based/html5-storage-manipulation
Vulnerabilities za HTML5-storage manipulation zinatokea wakati script inaweka data inayoweza kudhibitiwa na mshambuliaji katika hifadhi ya HTML5 ya kivinjari cha wavuti (localStorage au sessionStorage). Ingawa hatua hii si hatari ya usalama kwa asili, inakuwa tatizo ikiwa programu itasoma data iliyohifadhiwa na kuiprocess kwa njia isiyo salama. Hii inaweza kumruhusu mshambuliaji kutumia mekanizma ya hifadhi kufanya mashambulizi mengine ya msingi wa DOM, kama vile cross-site scripting na JavaScript injection.
Sinks:
From: https://portswigger.net/web-security/dom-based/client-side-xpath-injection
Vikosi vya XPath-injection vinavyotokana na DOM hutokea wakati script inajumuisha data inayoweza kudhibitiwa na mshambuliaji katika uchunguzi wa XPath.
Sinks:
From: https://portswigger.net/web-security/dom-based/client-side-json-injection
Vikosi vya JSON-injection vinavyotokana na DOM hutokea wakati script inajumuisha data inayoweza kudhibitiwa na mshambuliaji katika mfuatano ambao unachambuliwa kama muundo wa data wa JSON na kisha kushughulikiwa na programu.
Sinks:
From: https://portswigger.net/web-security/dom-based/web-message-manipulation
Vulnerabilities za ujumbe wa wavuti zinatokea wakati script inatuma data inayoweza kudhibitiwa na mshambuliaji kama ujumbe wa wavuti kwa hati nyingine ndani ya kivinjari. Mfano wa udanganyifu wa ujumbe wa wavuti unaweza kupatikana katika Akademia ya Usalama wa Wavuti ya PortSwigger.
Sinks:
Njia ya postMessage() ya kutuma ujumbe wa wavuti inaweza kusababisha udhaifu ikiwa msikilizaji wa tukio la kupokea ujumbe unashughulikia data inayokuja kwa njia isiyo salama.
From: https://portswigger.net/web-security/dom-based/dom-data-manipulation
Vulnerabilities za udanganyifu wa data za DOM zinatokea wakati script inaandika data inayoweza kudhibitiwa na mshambuliaji kwenye uwanja ndani ya DOM ambayo inatumika ndani ya UI inayoonekana au mantiki ya upande wa mteja. Udhaifu huu unaweza kutumiwa na mshambuliaji kuunda URL ambayo, ikiwa itatembelewa na mtumiaji mwingine, inaweza kubadilisha muonekano au tabia ya UI ya upande wa mteja.
Sinks:
From: https://portswigger.net/web-security/dom-based/denial-of-service
Vulnerabilities za denial-of-service zinazotokana na DOM hutokea wakati script inapopita data inayoweza kudhibitiwa na mshambuliaji kwa njia isiyo salama kwa API ya jukwaa yenye matatizo. Hii inajumuisha APIs ambazo, zinapoitwa, zinaweza kusababisha kompyuta ya mtumiaji kutumia kiasi kikubwa cha CPU au nafasi ya diski. Vulnerabilities kama hizi zinaweza kuwa na athari kubwa, kama vile kivinjari kuzuia utendaji wa tovuti kwa kukataa juhudi za kuhifadhi data katika localStorage au kumaliza scripts zinazofanya kazi.
Sinks:
Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
