DOM based XSS

[Prashanth Sivarajan]

Hi All,
Here is a scenario.

I have a javascript that throws a login screen say every 5 minutes of idle time. The javascript also auto fills the username box by reading a cookie "username" without doing any escaping/filtering/encoding the value stored in the cookie..
Well, theoretically this is a good candidate for DOM based XSS. But I am not able to create a practical working setup.

I have attached the HTML page as a txt file. host it on a server,open it, set cookie manually [by typing javascript:alert(document.cookie="username=john") in the URL bar] and refresh the page.

Any help will be greatly appreciated.

regards,
Prashanth
   CISSP

[Aditya Lad]

[If] the cookie is httponly, javascript wont be able to access cookies using document.cookie.

--
null - Spreading the right Information
null Mailing list charter: http://null.co.in/section/about/null_list_charter/

[Prashanth Sivarajan]

You got teh question wrong. It is not about able to read the cookie. I said i am setting the cookie manually from URL bar. So obviously it is not HTTPONLY.

Here is the question again: Theoretically when echoing a cookie data on the webpage without filtering/encoding it, it is vulnerable to dom based xss. I am unable to observe it. Have the browsers become smarter?

 

regards,

Prashanth

[Aditya Lad]

thats what I am saying, browsers became smart way back in 2003 when IE first introduced it. That was to stop the cookie stealing process that was rampant with the advent of XSS and social media.
Later it became the norm and other browsers followed.
If a cookie is set with an appending httponly attribute, the browser does not allow javascript to access {read, write} the cookie.

Instead of trying to modify the cookie directly (if httponly is indeed enabled), you can try modifying the field to which the cookie info is assigned. Of course javascript is tricky, and you may use firebug, web developer etc addons.

[Nafeez Ahmed]

Well i guess Aditya got the question wrong . Also @aditya , httponly is not used by most of the people now . So its not a big problem . And moreover , httponly can still be overcome using a TRACE request. 

@Prashant i really dont get ur question here .

Cheers,

Nafeez

[Aditya Lad]

you can check the http header exchanges and look for set-cookie attribs for facebook or google login.
you will see whether httponly is in use or not. I wont say much abt trace,

here are some of my 2007 writings on httponly and cookie stealing on orkut
http://rhosted.blogspot.com/2008/01/yet-another-xss-yet-another-w0rm.html
http://rhosted.blogspot.com/2007/11/technical-explanation-for-failure-of.html

Prashant, here is a quick tip for the debugging:
1. In my opinion if httponly is enabled in the web server you are testing, then it *must* be the cause of ur problem.
for verifying, run javascript:alert(document.cookie) and compare with the stored cookies in firefox, the httponly ones wont show up in alertbox. .

2. if httponly is not there, then most probably it could be javascript error, which u can debug.

[Nafeez Ahmed]

@aditya . of course people who know abt security set a httpOnly. And yea you were right on not talking much about trace methods , beacause we are living with smart browsers and they are almost not feasible on modern day browsers.  Btw, those were two good articles on cookies. Respect. 

People who would do some client side cookie manipulation wont set the httpOnly . Its a paradox. Am talking about the question . Hope am not wrong.

[Prashanth Sivarajan]

@aditya: Dude You totally got the question wrong. Question totally not related to HTTPONLY. I am able to read the cooke.

 

@Nafeez:

1. A cookie called "username" is set on our site. say it has a value "john"

2. When the page (I have attached in my first mail)  loads, the javascript reads the cookie and puts the value into the username box.

3. Now say you replace the cookie value to [john\"><script>alert(\'xssd\')</script>]. This theoretically should insert a script tag (by defenition this is crosssite scripting).

 

ie. the html will change to

 

<input type="text" id="txtName" value="John"><script>alert('xssd')</script>

 

If still not clear attend my session in Null meet next week ;) I'll tell you about basics of XSS.

 

Prashanth

[Raxit Sheth]

Prasanth

your question is confusing, it will be great if you can jot down the
steps you are trying to do, what result are you expecting at each step
and actual result.

Are you facing problem in setting cookie ? or facing problem in
retriving cookie <and post that exploit to dom based css?>

Raxit

On Sun, Sep 11, 2011 at 4:01 PM, Prashanth Sivarajan
<pras...@gmail.com> wrote:

[Raxit Sheth]

sorry Xss

[webDEViL]

Looking at your page, I see you set the forms value only.

No document.write etc.

So, I don't see how this will cause a XSS.

On Sun, Sep 11, 2011 at 4:01 PM, Prashanth Sivarajan <pras...@gmail.com> wrote:

--

null - Spreading the right Information
null Mailing list charter: http://null.co.in/section/about/null_list_charter/

--
Regards,

webDEViL

http://twitter.com/w3bd3vil

[cons0ul]

Hi,

XSS is possible in

>>>> <input type="text" id="txtName" value="" size="30" title="User Name" name="txtUserName" />

>>>> document.getElementById ('txtName').value= readUserName() ;

try to set the username you able to inject HTML Markup tags

not checked though,

cheers,
cons0ul

in

[Dhanesh k]

AFAIK, this won't cause XSS.

As Webdevil said, it is just populating the value.
And there is no document.write or document.getElementById ('txtName').innerHTML= readUserName() ; (sic, its not even correct :P)

If setting value should have caused XSS, every textbox in web is susceptible to XSS.. lol

my 0.02$.

Regards,
Dan

[Prashanth Sivarajan]

I've already given the step by step. I don't know how better to explain. My I'd is pras...@gmail.com. Probably I'll be able to explain better over iM

[Prashanth Sivarajan]

So only document.write will cause XSS? setting values to other components wont cause XSS?

On Sun, Sep 11, 2011 at 7:58 PM, webDEViL <w3bd...@gmail.com> wrote:

[Nafeez Ahmed]

@prashanth : Well i understood ur question . Basically ur trying to exploit a dom based xss from a cookie value. And ur puzzled on how to escape out of the input field , which is an easy peasy lemon squeezy thingy. See u in the next meet,

--
Cheers,

Nafeez

[Aditya Lad]

oh, I am sure I got it wrong in the beginning and I totally wasted 2 mails on that httponly thing..I tried running ur page, Lets hope I m right this time.

1.Your page application reads a field from the cookie.
2.You modify the cookie to contain a script tag.
3.You reload the page, and the script tag becomes a part of the text field instead of being interpreted as code.

It looks more like a javascript behavior to me, leave the cookie,
if I create a regular string var containing script tags, it still gets represented as a string only not as injected code.
I guess that must be something built in the javascript interpretation engine itself. It has nothing to do with the cookie.

But also, I am not very sure of the use case here, generally in XSS we talk about data getting reflected from the server, and so it comes from the server as a part of the response itself. From xss perspective,  Technically a cookie is at the client side, as long as the cookie data isnt the part of a get or post request, how do u modify it?  may be someone can add here..

[Nafeez Ahmed]

@aditya Lad , talk about Self-XSS .

Cheers,

Nafeez

[cons0ul]

XSS its not possible unless there is innerHTML or write()

check this out
http://weblogs.java.net/blog/gmurray71/archive/2006/09/preventing_cros.html

cheers,
cons0ul

[Dhanesh k]

What I said is about this code:

document.getElementById ('txtName').innerHTML= readUserName()

In this snippet, instead of value, innerHTML is used, which is wrong. Your supplied code is correct, I was just trying to say about a possible XSS, in a wrong code.

You can get a little bit of more info on DOM based XSS here: http://www.webappsec.org/projects/articles/071105.shtml


Regards,
Dan

[Prashanth Sivarajan]

oh got that part wrong. i thought the snippet was of my code.... now the air is cleared....Thanks a lot people.

[Prashanth Sivarajan]

I've already given the step by step. I don't know how better to explain. My I'd is pras...@gmail.com. Probably I'll be able to explain better over iM

On Sunday, September 11, 2011, Raxit Sheth <raxitsh...@gmail.com> wrote:

[Sanjeev Sharma]

@aditya
Xss is executed in the client side only..so it can read cookies at the client side code.. But this script can be persisted into DB and can be executed client side on user action..

Sanjeev Sharma