Rapid7 Vulnerability & Exploit Database

DOM-based Cross Site Scripting Vulnerability

Back to Search

DOM-based Cross Site Scripting Vulnerability

Severity
6
CVSS
(AV:N/AC:L/Au:N/C:P/I:P/A:N)
Published
10/31/2006
Created
07/25/2018
Added
10/31/2006
Modified
06/20/2013

Description

The website or application is vulnerable to DOM-based cross-site-scripting (XSS). Cross-site scripting allows a malicious attacker to trick your web application into emitting the JavaScript or HTML code of his choice. This malicious code will appear to come from your web application when it runs in the browser of an unsuspecting user.

Whereas traditional XSS takes advantage of vulnerable back-end CGI scripts to directly emit the code into served pages, DOM-based XSS takes advantage of vulnerable JavaScript scripts which execute directly in the user's browser. For example, a the following vulnerable script can be used to launch an XSS attack:

var loc = document.location + '?gotoHomepage=1'; document.write('<a href="' + loc + '">Home</a>');

In this case, the JavaScript variable "document.location" is under the direct control of an attacker, but it is being written directly into the document content without escaping. An attacker could construct a URL containing <script> tags in it and trick an unsuspecting user into visiting the vulnerable website. A URL such as http://your_application/index.html?"><script>alert(document.cookie)</script> can be constructed that would cause the script above to write the attacker's malicious script tags directly into the user's document, where they will be executed.

An exploit script can be made to:

  • access other sites inside another client's private intranet.
  • steal another client's cookie(s).
  • modify another client's cookie(s).
  • steal another client's submitted form data.
  • modify another client's submitted form data (before it reaches the server).
  • submit a form to your application on the user's behalf which modifies passwords or other application data

The two most common methods of attack are:

  • Clicking on a URL link sent in an e-mail
  • Clicking on a URL link while visiting a website

In both scenarios, the URL will generally link to the trusted site, but will contain additional data that is used to trigger the XSS attack.

Note that SSL connectivity does not protect against this issue.

Solution(s)

  • http-client-side-xss

References

  • http-client-side-xss

With Rapid7 live dashboards, I have a clear view of all the assets on my network, which ones can be exploited, and what I need to do in order to reduce the risk in my environment in real-time. No other tool gives us that kind of value and insight.

– Scott Cheney, Manager of Information Security, Sierra View Medical Center

;