Q: What does it mean?
A: First of all, I'd say, it actually means that there's another feature that makes DOMinatorPro a bleeding edge tool for finding DOM Based XSS :).
The Stored Strings tainting is a very interesting feature that DOMinatorPro implements for tracking stored DOM Based Cross Site Scripting issues.
Think about the following scenery.
Pseudo code:
setName.do
getName.doString name=getFromParameter("name"); saveOnDB(name);
So we'll get in the getName.do page :String name = getNameFromDB(); // escape the source (name) from DB so no stored XSS is there String jsEscape=encodeForJavaScript(name); print "<script>\n"; // No problem here since it's escaped. print "var aname='({\"aName\":\""+jsEscape+"\"})';"; print "eval(aname);\n"; print "</script>";
At this point you surely understand the issue in the flow:.. <script> var aname='({"aName":"PATTERN"})'; eval(aname); </script> ..
Step 1. Attacker sends name=PATTERN
Step 2. Victim visits a page with the flawed Js.
The attacker can't directly get out from the string since it's supposed to be correctly escaped, so that a payload like name=testPATTERN"'> will become:
Which is not directly exploitable, but if that same variable is used as argument for a Function or eval, or innerHTML or some of the sinks described on DOMXSS Wiki (contribute please), then it's an exploitable issue.var aName="testPATTERN\x22\x27\x3c"; ..
No existing tool is able to trace patterns like that during JavaScript execution but DOMinatorPro.
What the tester has to do is to turn on tainting on Stored Strings and set the pattern which has to be traced using the settings:
Finally, the user will just have to create the scenario by browsing the application with DOMinatorPro.
And she'll get some output like the following:
Where StoredTainted is the constant string transformed as tainted on the fly.
There are several interesting possibilities by using the tainted stored strings, like applying the same checks on responses from XMLHttpRequests.
But that's food for another blog post.
Feedbacks are, as usual really welcome!
Ps. If you're a licensed user remember to update the DOMinatorPro Extension to the latest one from your dominator downloads page.
No comments :
Post a Comment