Home
Home Page
Algorithm of calculation PageRank
Complex Denwer: Apache+PHP+MySQL+Perl for 5 minutes
Protection against automatic registration by means of a picture
PageRank from Google
Effect of smooth transition on JavaScript
Some criteria of a choice of a hosting
Definition of the size of the removed file
Loading of files on FTP
Preloading of pictures
Animation underlining
Kiberskvoting and kiberskvotery
Third type XSS: Mezhsajtovyj skripting through DOM
IPv6: expansion of report IP
Job with SQLite
Transformation of hyperlinks by means of Apache server
Animation Favicon
All about meta tegakh
Beautiful code on PHP
Links
topic
 

Third type XSS: Mezhsajtovyj skripting through DOM

All of us know, what such mezhsajtovyj skripting, the truth? It is vulnerability at which attacking sends the ill-intentioned data (usually it HTML, containing code Javascript) which come back the application later, that causes execution{performance} Javascript of a code. So, it is incorrect! There is type XSS of attacks not corresponding to this definition, at least, in the basic fundamental principles. XSS attacks which definition above mentioned, are subdivided on instant (the ill-intentioned data are built in page which comes back to a browser at once after search) and postponed (the ill-intentioned data come back after a while). But there is still third type XSS of attacks in which basis sending of the ill-intentioned data on the server does not lay. In spite of the fact that it seems contradicting to common sense, there are two well described examples of such attack. This clause{article} describes third type XSS of attacks - XSS through DOM (DOM Based XSS). Here the innovation of this material in allocation of distinctive features of attack which are very important and interesting will not be written anything essentially new about attack, more likely.


Developers and users of applied applications should understand principles of attack XSS through DOM as she represents threat for web applications and differs from usual XSS. In a network the Internet is much web applications vulnerable to XSS through DOM and thus checked up on XSS and recognized "impregnable" to this type of attacks. Developers and managers of sites should familiarize with methods of detection and protection from XSS through DOM as these techniques differ from the receptions used at job with standard XSS ujazvimostjami.



Introduction


The reader should be familiar with main principles XSS of attacks ([1], [2], [3], [4], [8]). Under XSS usually it is meant instant ([3]) and postponed [4] mezhsajtovyj skripting. At instant XSS the ill-intentioned code (Javascript) comes back the attacked server immediately as the answer on HTTP search. Postponed XSS means, that the ill-intentioned code is saved on attacked system and later can be introduced in HTML page of vulnerable system. As it has been mentioned above, such classification assumes, that fundamental property XSS will be, that the ill-intentioned code is sent from a browser on the server and comes back in the same browser (instant XSS) or any other browser (postponed XSS). In this clause{article} the question on that, what is it incorrect classification rises. The opportunity of realization XSS of the attack which are not based on introduction of a code in page, returned by the server, would render serious influence on methods of protection and detection. Principles of such attacks are discussed in this clause{article}.

Example and comments


Before the description of the elementary script of attack it is important to emphasize, that the methods described here, were already repeatedly shown publicly (for example, [5], [6] and [7]). I do not apply that the techniques resulted below are described for the first time (though some from them have differences from earlier published materials).

Attribute of a vulnerable site presence HTML of the page using the data from document.location, document. URL or document.referrer (or any other objects on which can influence attacking) can serve as unsafe way.


The note for readers unfamiliar with these objects Javascript: when code Javascript is carried out in a browser, he gets access to the several objects, submitted in frameworks DOM (Document Object Model - Objective Model of the Document). The object document is the main thing among these objects and gives access to the majority of properties of page. This object contains many the enclosed objects, such as location, URL and referrer. They cope a browser according to the point of view of a browser (as it will be visible below, it is rather essential). So, document. URL and document.location contain URL pages, to be exact, that the browser means under URL. Pay attention, these objects do not undertake from body HTML of page. The object document contains object body, containing processed (parsed) HTML a code of page.


It is not difficult to find HTML the page containing Javascript a code which analyzes line URL (got to her access through document. URL or document.location) and according to its{her} value carries out some actions on the party{side} the client. The example of such code is below resulted.


By analogy to an example in [2] we shall consider following HTML page (we shall assume, what is it the maintenance{contents} http://www.vulnerable.site/welcome.html <http: // www.internet-technologies.ru/? url=http%3A%2F%2Fwww.vulnerable.site%2Fwelcome.html>):



<HTML>

<TITLE> Welcome! </TITLE>

Hi

<SCRIPT>

var pos=document. URL.indexOf (" name = ") + 5;

document.write (document. URL.substring (pos, document. URL.length));

</SCRIPT>

<BR>

Welcome to our system

</HTML>


However the search like it is


http: // www.vulnerable.site/welcome.html? name = <script> alert (document.cookie) </script>


Would call XSS. We shall consider, why: the browser of the victim, received is the link, sends HTTP search on www.vulnerable.site and receives above mentioned (static!) HTML page. The browser of a victim starts to analyze this HTML a code. DOM contains object document, having field URL, and this field is filled by value URL of the current page during creation DOM. When the parser reaches up to Javascript a code, he carries out it{him}, that causes updating HTML of a code of displayed page. In this case, the code refers on document. URL and as the part of this line during syntactic analysis is built in HTML which at once is analyzed, the found out code (alert (…)) is carried out in a context of the same page.


Remarks:


1. The ill-intentioned code is not built in HTML page (as against other versions XSS).

2. This ehksplojt will work provided that the browser does not modify symbols URL. Mozilla automatically codes symbols 'and' (in %3C and %3E accordingly) in the enclosed objects document. If URL has been printed directly in a line of the address, this browser is impregnable for attack described in this example. However, if for attack are not necessary symbols 'and' (in the initial not coded kind) can be carried out attack. Microsoft Internet Explorer 6.0 does not code 'and' and consequently it is vulnerable to the described attack without any restrictions. However there are many the various scripts of attack which are not demanding 'and' and consequently even Mozilla has no immunity to this attack.



Methods of detection and prevention ujazvimostej this type


In an example the ill-intentioned code is higher is still passed the server (as part HTTP of search), therefore attack can be found out, as well as any another XSS attack. But it is a decided{solved} problem.


Let's consider the following example:


http: // www.vulnerable.site/welcome.html*name = <script> alert (document.cookie) <script>


Pay attention to a symbol '*' to the right of a name of a file. He speaks a browser, that all after that symbol is not a part of search. Microsoft Internet Explorer (6.0) and Mozilla does not send a fragment after a symbol '*' on the server, therefore for the server this search will be equivalent http://www.vulnerable.site/welcome.html, i.e. the ill-intentioned code will not be noticed at all by the server. Thus, due to this reception, the browser does not send ill-intentioned useful loading on the server.


But nevertheless in some cases it is impossible to hide useful loading: in [5] and [6] ill-intentioned useful loading is a part of a name users (username) in URL such as http: // username@host/. In this case the browser sends search with heading Authorization, containing a name users (ill-intentioned useful loading) therefore the ill-intentioned code gets on the server (coded with help Base64 - hence IDS/IPS for detection of attack should decode in the beginning these data). However the server is not obliged to introduce this useful loading in one of accessible HTML pages though it is a necessary condition of performance XSS of attack.


It is obvious, that in situations when useful loading can be completely latent, means of detection (IPS) and prevention (IPS, gateway screens for web) cannot protect applications from this attack completely. Even if useful loading needs to be sent on the server, in many cases for avoidance of detection she can be transformed definitely. For example, if any parameter is protected (for example, the parameter name in an example is higher), little change of the script of attack can bring result:


http: // www.vulnerable.site/welcome.html? notname = <script> (document.cookie) </script>


More severe politics of safety would demand obligatory sending of parameter name. In this case you can make the following search:


http: // www.vulnerable.site/welcome.html? notname = <script> alert (document.cookie) <script> *name=Joe


If the politics of safety limits additional names of parameters (for example: foobar), it is possible to use the following variant:


http: // www.vulnerable.site/welcome.html? foobar=name = <script> alert (document.cookie) <script> *name=Joe


Pay attention, that the ignored parameter (foobar) should go the first and in the value to contain useful loading.


The script of attack described in [7], is even more preferable for attacking as in HTML page full value document.location (Javascript a code is written does not prospect for a specific name of parameter). Thus, attacking can hide completely useful loading, having sent the following:


/attachment.cgi? id = and action=foobar * <script> alert (document.cookie) </script>


Even if useful loading is analyzed by the server, protection can be guaranteed only in the event that the search will be rejected or the answer will be replaced with some text of a mistake. We will address again to [5] and [6]: if heading Authorization will be simply removed by intermediate system of protection, it will not bring any effect if the original page will be returned. Similarly any attempt of data processing on the server, by removal{distance} or coding of the forbidden symbols, will be inefficient against this attack.


In a case with document.referrer, useful loading is sent on the server through heading Referer. However if the browser of the user or intermediate protection will remove this heading - there will be no traces of attack which is possible to pass completely unnoticed.


Summing up, we judge, that traditional methods, namely


1. Coding data HTML on the party{side} of the server

2. Removal / coding of the forbidden entrance data on the party{side} of the server do not work against DOM XSS.


Automatic search of vulnerability by "bombardment" by the ill-intentioned data (sometimes named fuzzing) will not work, as the programs using this technique, usually draw conclusions on the basis of, whether there are introduced data at the returned page whether or not (instead of performance of a code in a context of a browser on the party{side} of the client and supervision over results). However, if the program can statically analyze code Javascript which has been found out on page, she can specify suspicious attributes (see below). And certainly, if means of protection can execute code Javascript (and it is correct to initialize DOM objects) or to emulate such execution{performance}, they can find out this attack.


Manual search of vulnerability with the help of a browser will work also as a browser can carry out client code Javascript. Search engines ujazvimostej can take advantage of this method and carry out a code on the party{side} of the client for tracking results of his{its} performance.

Effective protection


1.


To avoid rewriting the document on the party{side} of the client, readdressing or other similar actions using the data on the party{side} of the client. The majority of these actions can be executed with use of dynamic pages (on the party{side} of the server).

2.


The analysis and increase of security of a code (Javascript) on the party{side} of the client. Links to objects DOM which the user (attacking) can influence, should be checked carefully up. The special attention needs to be given the following objects (but to not be limited to them):

* document. URL

* document. URLUnencoded

* document.location (and his{its} properties)

* document.referrer

* window.location (and his{its} properties)


Pay attention: document and window it is possible to refer to properties of objects in several ways: obviously (an example - window.location), it is implicit (an example - location) or through receptions of a descriptor and his{its} use (an example - handle_to_some_window.location).


The special attention needs to be given a code where it is modified DOM, obviously or there is a potential opportunity, and also through direct access to HTML or through access directly to DOM. Examples (it at all the exhaustive list):

* Recording in HTML a code of page:

o document.write (…)

o document.writeln (…)

o document.body.innerHtml=…

* Change DOM directly (including events DHTML):

o document.forms [0] .action=… (and other variations)

o document.attachEvent (…)

o document.create … (…)

o document.execCommand (…)

o document.body. … (access to DOM through object body)

o window.attachEvent (…)

* Change URL of the document:

o document.location=… (and also assignment of values href, host and hostname object location)

o document.location.hostname=…

o document.location.replace (…)

o document.location.assign (…)

o document. URL=…

o window.navigate (…)

* Opening / updating of object window:

o document.open (…)

o window.open (…)

o window.location.href=… (and also assignment of value host and hostname object location)

* Performance of a script directly:

o eval (…)

o window.execScript (…)

o window.setInterval (…)

o window.setTimeout (…)


During the above mentioned example, for effective protection the original script can be replaced with the following code which checks a line which is written down in HTML page on presence only of alphanumeric symbols.



<SCRIPT>

var pos=document. URL.indexOf (" name = ") + 5;

var name=document. URL.substring (pos, document. URL.length);

if (name.match (/^ [a-zA-Z0-9] $/))

{

document.write (name);

}

else

{

window.alert (" Security error ");

}

</SCRIPT>


Such functionality can be (and, probably, should be) it is realized through universal library of the control of the data (i.e. through the set of functions Javascript which is carrying out check / updating of the entrance data). A minus of this way is that the principle of job of protection is accessible attacking since protection is realized in HTML a code. It simplifies the analysis and planning of attack. In an example the situation simple enough whereas checks of protection in more complex{difficult} scripts are far from perfect is higher, that enables search of ways of detour of protection.

3. To use strict rules IPS in which, for example, welcome.html it it is authorized to page to receive the unique parameter having a name "name" which value is checked, and any discrepancy (including superfluous parameters or absence of parameters) results in refusal in service of original page, as well as any another infringement (for example, headings Authorization or Referer, containing problematic data). Though in some cases even such measures do not guarantee full protection against attack.



The note about ujazvimostjakh readdressings


This clause{article} is devoted XSS, however in many cases simple use of a client script for (unsafe) readdressing a browser to other resource is in itself considered vulnerability. In such cases the above mentioned methods and supervision also are applicable{applied}.



The conclusion


In spite of the fact that the majority publicly described XSS attacks are based on introduction of the data of the user in returned HTML page, exist XSS attacks not relying on introduction of the data on the party{side} of the server. It is of great importance at discussion of ways of detection and prevention XSS. Till now almost all publicly described techniques assume, that XSS consists that the server obtains the ill-intentioned data from the user and introduces them in HTML page. As this assumption does not correspond{meet} (or corresponds{meets} only in part) XSS to the attacks described in this clause{article}, existing techniques will fail at detection and prevention of attacks of such type.


XSS the attacks based on introduction of the data of the user on the party{side} of the server, are subdivided on instant and postponed. In turn, I offer the third type XSS which is not demanding introduction of the data on the party{side} of the server, to name XSS through DOM (DOM Based XSS).




© Web Development Company Conkurent, LLC 2008-2009. All rights reserved.