Due to the lack of literature about DOM Based XSS identification tools awareness, we decided to write a paper that took the actual tools that are stated to be able to identify DOM Based XSS and test their capabilities when dealing with a real world DOM XSS issue.
"..
Minded Security has been the first company to launch a commercial tool aimed to identify DOM Based XSS with a runtime approach: DOMinatorPro.
In 2012, as a result of our research on DOM XSS, we released the tainting engine on github.com as an open source project and created a commercial version that let users easily identify several kind of JavaScript vulnerabilities with a pretty high rate of accuracy .
Since then, some tools, open source and commercial, have been developed and awareness on this very topic grew among application security experts.
The following paper will try to give an unbiased study supported by objective
facts about precision and accuracy of existing tools that are stated to
identify DOM Based XSS vulnerabilities.
..."
Showing posts with label JavaScript Security. Show all posts
Showing posts with label JavaScript Security. Show all posts
Wednesday, February 4, 2015
Thursday, November 8, 2012
DOMinatorPro Fuzzer finds a DOM XSS on Google.com
Introduction a.k.a. tl;dr
A quite simple DOM Based XSS was found on https://www.google.com/ context using DOMinatorPro.
What I think it's interesting here, is to show how DOMinatorPro works in this real world case.
In order to give a more detailed description, i recorded a video (HD) to show how DOMinatorPro can help in finding those particular kind of issues.
Some Details
DOMinatorPro is a runtime JavaScript DOM XSS analyzer, which means it can check for complex filters and help in finding debug and/or unreferenced parameters during JavaScript execution.In order to do that, DOMinatorPro exposes a fuzzer button which fuzzes the URL query string and html input elements that have keyboard events attached to them as shown in the youtube video.
By using that feature I found that the code in
http://www.googleadservices.com/pagead/landing.jsuses unvalidated input to build the argument for two document.write call.
This javascript is used, among others, by:
http://www.google.com/toolbar/ie/index.htmland
https://www.google.com/toolbar/ie/index.htmlwhich means that one more time a (almost) 3rd party script introduces a flaw in the context of an unaware domain.
Source Analysis
From http://www.googleadservices.com/pagead/landing.js (which has now been removed) the following lines do not escape user input:Line 53:
if (w.google_conversion_ad) {
url = url + "&gad=" + w.google_conversion_ad;
}
if (w.google_conversion_key) {
url = url + "&gkw=" + w.google_conversion_key;
}
if (w.google_conversion_mtc) {
url = url + "&gmtc=" + w.google_conversion_mtc;
}
if (w.google_conversion_raw) {
url = url + "&graw=" + w.google_conversion_raw;
}
if (w.google_conversion_domain) {
url = url + "&dom=" + w.google_conversion_domain;
}
And those values are taken by using :
function google_get_param(url, param) {...
var i;
var val;
if ((i = url.indexOf("?" + param + "=")) > -1 ||
(i = url.indexOf("?" + param.toUpperCase() + "=")) > -1 ||
(i = url.indexOf("&" + param + "=")) > -1 ||
(i = url.indexOf("&" + param.toUpperCase() + "=")) > -1) {
val = url.substring(i + param.length + 2, url.length);
if ((i = val.indexOf("&")) > -1) {
val = val.substring(0, i);
}
}
return val;
}
google_conversion_ad = google_get_param(url, "gad");
if (window.google_conversion_ad) {
(google_conversion_key = google_get_param(url, "gkw")) ||
(google_conversion_key = google_get_param(url, "ovkey"));
google_conversion_mtc = google_get_param(url, "ovmtc");
google_conversion_raw = google_get_param(url, "ovraw");
}
}
After the previous code, the url variable is used on line 91:
document.write('' name="google_conversion_frame"' +
' width="' + width + '"' +
' height="' + height + '"' +
' src="' + url + '"' +
' frameborder="0"' +
' marginwidth="0"' +
' marginheight="0"' +
' vspace="0"' +
' hspace="0"' +
' allowtransparency="true"' +
' scrolling="no">');
and line 103:
document.write(''src="' + url + '&ifr' + 'ame=0"' +so the offending url (which can be found with DOMinatorPro fuzzer), is:
' />');
http://www.google.com/toolbar/ie/index.html?&gad=bbbb&gkw=yyyy&ovkey=10101010&ovmtc=14141414&ovraw=18181818&
and on any of those parameters can be added an attack payload like:
AAAA"onload="alert(document.domain)"
Remediation
I suggested that the use of encodeURIComponent on user dataif (w.google_conversion_ad) {
url = url + "&gad=" + encodeURIComponent(w.google_conversion_ad);
}
if (w.google_conversion_key) {
url = url + "&gkw=" +
encodeURIComponent(w.google_conversion_key);
}
if (w.google_conversion_mtc) {
url = url + "&gmtc=" +
encodeURIComponent(w.google_conversion_mtc);
}
if (w.google_conversion_raw) {
url = url + "&graw=" +
encodeURIComponent(w.google_conversion_raw);
}
if (w.google_conversion_domain) {
url = url + "&dom=" +
encodeURIComponent(w.google_conversion_domain);
}
would have solved the problem.
Anyway, Google fixed that by removing that script for good, which is a solution as well! :)
Conclusions
As already said in my previous post, I still see DOM based XSS all around with little awareness and difficulties by all actors in SDLC in identifying them.DOMinatorPro can really help in finding DOM based XSS and it does that by helping testers, developers or QA users by trying to give the information they need by adapting to the knowledge they have.
Give DOMinatorPro a Try
Do you still trust all those 3rd party JavaScripts embedded in your pages ?
Just browse your site with DOMinatorPro or fuzz your pages and see what happens. :)
In case you need help, check out our professional services or just ask for a contact.
Subscribe to:
Posts
(
Atom
)