logo
  • Home
    • Categories
    • About
      • en-languageEnglish
        • Home
        • Categories
        • About
      • en-languageEnglish
      SecurityBy Pierre Colart

      DOM-based vulnerabilities

      Context

      The Document Object Model (DOM) is the hierarchical structure of web page elements as perceived by the browser. Developers often use JavaScript to access and manipulate the objects and nodes of the DOM as well as their properties. However, if the manipulated data is not secure, this can lead to vulnerabilities based on the DOM.

      DOM-based vulnerabilities occur when websites contain JavaScript code that takes potentially attacker-controllable data, called "sources," and passes it to potentially dangerous functions or objects, called "receivers." For example, a common source is the URL, which can be accessed with the JavaScript location property. Attackers can construct links to bring users to vulnerable web pages, with a payload in the URL query string.

      Sources can include the query string, cookies, Web messages, etc. Receivers include functions such as eval(), which treats arguments as JavaScript code, and DOM objects such as document.body.innerHTML, which can potentially allow attackers to inject malicious HTML code and execute arbitrary JavaScript code.

      To exploit or mitigate DOM-based vulnerabilities, it is important to understand the flow of data contamination from sources to receivers. Developers need to be aware of data that may be potentially attacker-controllable and functions or objects that may be potentially dangerous. By adopting secure development practices, developers can avoid or reduce the risks of DOM-based vulnerabilities.

      Fundamentally, DOM-based vulnerabilities occur when a website transmits data from a source to a receiver, which then processes the data in an insecure manner in the context of the client's session.

      The most common source is the URL, which is typically accessed with the location object. An attacker can construct a link to send a victim to a vulnerable page with a payload in the query string and fragment portions of the URL. Consider the following code :

       goto = location.hash.slice(1)
if (goto.startsWith('https:')) {
  location = goto;
}

      Open redirection based on DOM is a security vulnerability that can be exploited by attackers to redirect users to malicious sites. This vulnerability occurs when a website manipulates the location.hash property in an insecure manner.

      The location.hash property contains a string of characters that follow the "#" symbol in the URL. If the URL contains a hash fragment starting with "https:", this code extracts the value of the location.hash property and sets it as the location property of the window. Attackers can exploit this vulnerability by constructing a malicious URL containing a hash fragment with instructions to redirect users to malicious websites.

       https://www.website.com/example#https://www.attacker-user.net

      This vulnerability is called "open redirection" because it allows an attacker to redirect users to malicious websites by exploiting security vulnerabilities of the targeted website. Attackers can use this vulnerability to steal sensitive information such as usernames, passwords, credit card information, etc.

      Common sources

       document.URL
document.documentURI
document.URLUnencoded
document.baseURI
location
document.cookie
document.referrer
window.name
history.pushState
history.replaceState
localStorage
sessionStorage
IndexedDB (mozIndexedDB, webkitIndexedDB, msIndexedDB)
Database

      Common Sinks

      Here is a list that provides a quick overview of common vulnerabilities based on the Document Object Model (DOM), as well as an example of a "sink" that can lead to each vulnerability. For a more comprehensive list of relevant "sinks", please refer to specific vulnerability pages by clicking on the links below.

      DOM-based vulnerabilities Example
      DOM XSS document.write()
      Open redirection window.location
      Cookie manipulation document.cookie
      JavaScript injection eval()
      Document-domain manipulation document.domain
      WebSocket-URL poisoning WebSocket()
      Link manipulation element.src
      Web message manipulation element.src
      Link manipulation postMessage()
      Ajax request-header manipulation setRequestHeader()
      Local file-path manipulation FileReader.readAsText()
      Client-side SQL injection ExecuteSql()
      HTML5-storage manipulation sessionStorage.setItem()
      Client-side XPath injection document.evaluate()
      DOM-data manipulation element.setAttribute(
      Denial of service RegExp()

      How to prevent vulnerabilities

      In computer security, there is no one-size-fits-all solution to completely eliminate the threat of DOM (Document Object Model) based attacks. However, the best way to avoid these vulnerabilities is generally to not allow data from untrusted sources to dynamically modify the values passed to receivers.

      If the application functionality nevertheless requires this behavior, it is necessary to implement client-side defenses. In many cases, relevant data can be validated by only allowing known safe content (whitelist). In other cases, data will need to be cleaned or encoded. This task can be complex and, depending on the context of the data insertion, may involve JavaScript escaping, HTML encoding, and URL encoding in a specific order.

      To learn about the measures to take to prevent specific vulnerabilities, it is recommended to refer to the corresponding vulnerability pages linked in the table above

      Pierre Colart

      Passionate developer and architect who wants to share their world and discoveries in order to make things simpler for everyone.

      See profil

      Latest posts

      Sequences, Time Series and Prediction
      Natural Language Processing
      Make your convolutional Neural Networks better
      Tensorflow - bases
      Android : clean architecture

      © 2023 Switch case. Made with by Pierre Colart