1BO4r2U
1BO4r2U
1BO4r2U
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
187 188<br />
Web Application Penetration Testing<br />
Web Application Penetration Testing<br />
Automated testing has only very limited success at identifying and<br />
validating DOM-based XSS as it usually identifies XSS by sending a<br />
specific payload and attempts to observe it in the server response.<br />
This may work fine for the simple example provided below, where<br />
the message parameter is reflected back to the user:<br />
<br />
var pos=document.URL.indexOf(“message=”)+5;<br />
document.write(document.URL.substring(pos,document.URL.<br />
length));<br />
<br />
but may not be detected in the following contrived case:<br />
<br />
var navAgt = navigator.userAgent;<br />
if (navAgt.indexOf(“MSIE”)!=-1) {<br />
document.write(“You are using IE as a browser and visiting<br />
site: “ + document.location.href + “.”);<br />
}<br />
else<br />
{<br />
document.write(“You are using an unknown browser.”);<br />
}<br />
<br />
that is executed by the application inside the victim’s browser.<br />
This vulnerability can have many consequences, like disclosure of<br />
a user’s session cookies that could be used to impersonate the<br />
victim, or, more generally, it can allow the attacker to modify the<br />
page content seen by the victims or the application behavior.<br />
How to Test<br />
Such vulnerability occurs when the application lacks of a proper<br />
user supplied input and output validation.<br />
JavaScript is used to dynamically populate web pages, this injection<br />
occur during this content processing phase and consequently<br />
affect the victim.<br />
When trying to exploit this kind of issues, consider that some characters<br />
are treated differently by different browsers. For reference<br />
see the DOM XSS Wiki.<br />
The following script does not perform any validation of the variable<br />
rr that contains the user supplied input via the query string<br />
and additionally does not apply any form of encoding:<br />
var rr = location.search.substring(1);<br />
if(rr)<br />
window.location=decodeURIComponent(rr);<br />
This implies that an attacker could inject JavaScript code<br />
simply by submitting the following query string: www.victim.<br />
com/?javascript:alert(1)<br />
References<br />
OWASP Resources<br />
• DOM based XSS Prevention Cheat Sheet<br />
• DOMXSS.com - http://www.domxss.com<br />
Whitepapers<br />
• Browser location/document URI/URL Sources - https://code.<br />
google.com/p/domxsswiki/wiki/LocationSources<br />
• i.e., what is returned when the user asks the browser for things<br />
like document.URL, document.baseURI, location, location.href,<br />
etc.<br />
Testing for HTML Injection (OTG-CLIENT-003)<br />
Summary<br />
HTML injection is a type of injection issue that occurs when a<br />
user is able to control an input point and is able to inject arbitrary<br />
HTML code into a vulnerable web page.<br />
This vulnerability can have many consequences, like disclosure of<br />
a user’s session cookies that could be used to impersonate the<br />
victim, or, more generally, it can allow the attacker to modify the<br />
page content seen by the victims.<br />
How to Test<br />
This vulnerability occurs when the user input is not correctly sanitized<br />
and the output is not encoded. An injection allows the attacker<br />
to send a malicious HTML page to a victim. The targeted<br />
browser will not be able to distinguish (trust) the legit from the<br />
malicious parts and consequently will parse and execute all as legit<br />
in the victim context.<br />
var userposition=location.href.indexOf(“user=”);<br />
var user=location.href.substring(userposition+5);<br />
document.write(“Hello, “ + user +””);<br />
In both examples, an input like the following:<br />
http:/vulnerable.site/page.html?user=<br />
will add to the page the image tag that will execute an arbitrary<br />
JavaScript code inserted by the malicious user in the HTML context.<br />
Black Box testing<br />
Black box testing for HTML Injection is not usually performed<br />
since access to the source code is always available as it needs to<br />
be sent to the client to be executed.<br />
Gray Box testing<br />
Testing for HTML Injection vulnerabilities:<br />
For example, looking at the following URL:<br />
http:/www.domxss.com/domxss/01_Basics/06_jquery_old_html.html<br />
For this reason, automated testing will not detect areas that may be<br />
susceptible to DOM-based XSS unless the testing tool can perform<br />
addition analysis of the client side code.<br />
Manual testing should therefore be undertaken and can be done by<br />
examining areas in the code where parameters are referred to that<br />
may be useful to an attacker. Examples of such areas include places<br />
where code is dynamically written to the page and elsewhere where<br />
the DOM is modified or even where scripts are directly executed.<br />
Further examples are described in the excellent DOM XSS article by<br />
Amit Klein, referenced at the end of this section.<br />
References<br />
OWASP Resources<br />
• DOM based XSS Prevention Cheat Sheet<br />
Whitepapers<br />
• Document Object Model (DOM) - http://en.wikipedia.org/wiki/<br />
Document_Object_Model<br />
• DOM Based Cross Site Scripting or XSS of the Third Kind - Amit<br />
Klein http://www.webappsec.org/projects/articles/071105.shtml<br />
• Browser location/document URI/URL Sources - https://code.google.com/p/domxsswiki/wiki/LocationSources<br />
• i.e., what is returned when the user asks the browser for things<br />
like document.URL, document.baseURI, location, location.href, etc.<br />
Testing for JavaScript Execution<br />
(OTG-CLIENT-002)<br />
Summary<br />
A JavaScript Injection vulnerability is a subtype of Cross Site Scripting<br />
(XSS) that involves the ability to inject arbitrary JavaScript code<br />
Black Box testing<br />
Black box testing for JavaScript Execution is not usually performed<br />
since access to the source code is always available as it needs to<br />
be sent to the client to be executed.<br />
Gray Box testing<br />
Testing for JavaScript Execution vulnerabilities:<br />
For example, looking at the following URL: http://www.domxss.<br />
com/domxss/01_Basics/04_eval.html<br />
<br />
function loadObj(){<br />
var cc=eval(‘(‘+aMess+’)’);<br />
document.getElementById(‘mess’).textContent=cc.message;<br />
}<br />
if(window.location.hash.indexOf(‘message’)==-1)<br />
var aMess=”({\”message\”:\”Hello User!\”})”;<br />
else<br />
var aMess=location.hash.substr(window.location.hash.index-<br />
Of(‘message=’)+8);<br />
<br />
The page contains the following scripts:<br />
The above code contains a source ‘location.hash’ that is controlled<br />
by the attacker that can inject directly in the ‘message’ value a JavaScript<br />
Code to take the control of the user browser.<br />
There is a wide range of methods and attributes that could be<br />
used to render HTML content. If these methods are provided with<br />
an untrusted input, then there is an high risk of XSS, specifically<br />
an HTML injection one. Malicious HTML code could be injected<br />
for example via innerHTML, that is used to render user inserted<br />
HTML code. If strings are not correctly sanitized the problem<br />
could lead to XSS based HTML injection. Another method could<br />
be document.write()<br />
When trying to exploit this kind of issues, consider that some<br />
characters are treated differently by different browsers. For reference<br />
see the DOM XSS Wiki.<br />
The innerHTML property sets or returns the inner HTML of an element.<br />
An improper usage of this property, that means lack of<br />
sanitization from untrusted input and missing output encoding,<br />
could allow an attacker to inject malicious HTML code.<br />
Example of Vulnerable Code: The following example shows a<br />
snippet of vulnerable code that allows an unvalidated input to be<br />
used to create dynamic html in the page context:<br />
var userposition=location.href.indexOf(“user=”);<br />
var user=location.href.substring(userposition+5);<br />
document.getElementById(“Welcome”).innerHTML=” Hello,<br />
“+user;<br />
In the same way, the following example shows a vulnerable code<br />
using the document.write() function:<br />
The HTML code will contains the following script:<br />
<br />
<br />
function setMessage(){<br />
var t=location.hash.slice(1);<br />
$(“div[id=”+t+”]”).text(“The DOM is now loaded and can be<br />
manipulated.”);<br />
}<br />
$(document).ready(setMessage );<br />
$(window).bind(“hashchange”,setMessage)<br />
<br />
<br />
Show HereShowing<br />
Message1<br />
Show HereShowing<br />
Message2<br />
Show HereShowing<br />
Message3<br />
<br />
It is possible to inject HTML code.<br />
References<br />
OWASP Resources<br />
• DOM based XSS Prevention Cheat Sheet<br />
• DOMXSS.com - http://www.domxss.com