Tuesday, October 9, 2012

Stored DOM Based Cross Site Scripting

Since the very first release of DOMinatorPro, there is an 'S' little button in the right down corner:

Q: What does it mean?
A: First of all, I'd say, it actually means that there's another feature that makes DOMinatorPro a bleeding edge tool for finding DOM Based XSS :).

The Stored Strings tainting is a very interesting feature that DOMinatorPro implements for tracking stored DOM Based Cross Site Scripting issues.

Think about the following scenery.

Pseudo code:
String name=getFromParameter("name"); saveOnDB(name);
String name = getNameFromDB(); // escape the source (name) from DB so no stored XSS is there String jsEscape=encodeForJavaScript(name); print "<script>\n"; // No problem here since it's escaped. print "var aname='({\"aName\":\""+jsEscape+"\"})';"; print "eval(aname);\n"; print "</script>";
So we'll get in the getName.do page :
.. <script> var aname='({"aName":"PATTERN"})'; eval(aname); </script> ..
At this point you surely understand the issue in the flow:

Step 1. Attacker sends name=PATTERN


Step 2. Victim visits a page with the flawed Js.

The attacker can't directly get out from the string since it's supposed to be correctly escaped, so that a payload like name=testPATTERN"'> will become:

var aName="testPATTERN\x22\x27\x3c"; ..
Which is not directly exploitable, but if that same variable is used as argument for a Function or eval, or innerHTML or some of the sinks described on DOMXSS Wiki (contribute please), then it's an exploitable issue.

No existing tool is able to trace patterns like that during JavaScript execution but DOMinatorPro.
What the tester has to do is to turn on tainting on Stored Strings and set the pattern which has to be traced using the settings:

Finally, the user will just have to create the scenario by browsing the application with DOMinatorPro.
And she'll get some output like the following:

Where StoredTainted is the constant string transformed as tainted on the fly.

There are several interesting possibilities by using the tainted stored strings, like applying the same checks on responses from XMLHttpRequests.
But that's food for another blog post.

Feedbacks  are, as usual really welcome!

Ps. If you're a licensed user remember to update the DOMinatorPro Extension to the latest one from your dominator downloads page.

No comments:

Post a Comment