07 Мар, 2024

DOM XSS using web messages and a JavaScript URL

DOM XSS using Web Messages and a JavaScript URL:

Attack Description:

Web Messages (postMessage):

 

Feature Description: Web Messages, implemented through the postMessage method, allow communication between different windows or iframes within a browser, even if they originate from different origins.

Эксплуатация: An attacker can abuse this feature to send malicious messages to a vulnerable webpage, potentially leading to DOM XSS.

JavaScript URL:

 

Feature Description: A JavaScript URL is a URL that begins with the javascript: scheme followed by JavaScript code. When executed, it runs the embedded JavaScript code in the context of the current page.

Эксплуатация: An attacker can construct a JavaScript URL that contains malicious code and attempt to execute it within the target webpage.

Attack Steps:

Malicious Site Setup:

 

The attacker creates a malicious webpage containing a script with a JavaScript URL payload, designed to perform malicious actions.

Target Site with Web Messages:

 

The attacker identifies a target webpage that uses the postMessage method to communicate with iframes or windows.

Sending Malicious Web Message:

 

The attacker initiates a communication channel by embedding their malicious page within an iframe on the target site.

Exploiting the postMessage feature, the attacker sends a web message containing the JavaScript URL payload to the iframe on the target site.

Execution of JavaScript URL:

 

The JavaScript URL is executed within the context of the target site, potentially leading to DOM-based Cross-Site Scripting (XSS).

The injected script can manipulate the DOM, steal sensitive information, or perform other malicious actions within the target site.

Примеры эксплуатации

To better understand the DOM XSS using web messages and a JavaScript URL vulnerability, let’s take a look at one of the labs from PortSwigger, a well-known web security company. This lab demonstrates a DOM XSS using web messages and a JavaScript URL vulnerability.

Press “View Page Source” then, press Ctrl+F and type “message”

Then back to “Home” page, press “inspect (Q)” , go to console , type let url = “javascript:console.log(1)//http:” , url = “javascript:console.log(1)//http:” , url.indexOf(‘http:’

				
					let url = "javascript:console.log(1)//http:"
undefined
url = "javascript:console.log(1)//http:"
'javascript:console.log(1)//http:'
url.indexOf("http:")
27
				
			

Then take the url from home page

				
					<iframe src="https://0a7f00bd04c734be807ac1f100960077.web-security-academy.net/" onload="this.contentWindow.postMessage(`javascript:print();//http:`, `*`)">
				
			

Use this exploit and then we can see print() function is working

Scanners that detect vulnerabilities

Burp Suite:

Описание: A powerful web application AMAZON WEB SERVICES tool that includes features for scanning, crawling, and analyzing web applications.

OWASP Zed Attack Proxy (ZAP):

Описание: An open-source security testing tool designed to find vulnerabilities in web applications.

Веб-козел:

Описание: A deliberately insecure web application maintained by OWASP designed for learning and practicing application security testing.

DVWA (Damn Vulnerable Web Application):

Описание: A vulnerable web application used for practicing penetration testing skills.

BeEF (Browser Exploitation Framework):

Описание:ПЕНТЕСТ tool focused on web browsers, allowing for testing against various client-side vulnerabilities.

SecurityHeaders.io:

Описание: A web-based tool to check the security headers of a given website, including Content Security Policy (CSP).

DOMPurify:

Описание: A JavaScript library that helps prevent DOM-based XSS attacks by sanitizing HTML and preventing the execution of malicious scripts.

Netsparker:

Описание: A web application security scanner that can identify and report vulnerabilities in web applications, including DOM-based XSS.

XSSHunter:

Описание: A tool for tracking and capturing cross-site scripting (XSS) vulnerabilities in real-time.

Average CVSS score

Assigning a specific Common Vulnerability Scoring System (CVSS) score for “DOM XSS using web messages and a JavaScript URL” is challenging without specific details about a particular vulnerability. The CVSS score depends on various factors, including the impact, exploitability, and mitigating factors specific to each vulnerability.

CWE information

DOM XSS (CWE-79):

Описание: DOM XSS (Cross-Site Scripting) occurs when client-side scripts manipulate the Document Object Model (DOM) in an insecure way, allowing an attacker to inject and execute malicious scripts.

CWE Identifier: CWE-79 (Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’))

Web Messages (CWE-1156):

Описание: Web Messages, implemented through the postMessage method, allow communication between different windows or iframes within a browser, even if they originate from different origins.

CWE Identifier: CWE-1156 (Origin Validation Error)

JavaScript URL (CWE-94):

Описание: JavaScript URLs are URLs that begin with the javascript: scheme followed by JavaScript code. When executed, it runs the embedded JavaScript code in the context of the current page.

CWE Identifier: CWE-94 (Improper Control of Generation of Code (‘Code Injection’))

Conclusion and Mitigation

DOM XSS using web messages and a JavaScript URL represents a critical security vulnerability that allows attackers to inject and execute malicious scripts within the Document Object Model (DOM) of a web application. By exploiting the communication between different windows or iframes through web messages and leveraging JavaScript URLs, attackers can potentially manipulate the content and behavior of a targeted webpage, leading to severe consequences such as data theft, unauthorized actions, or the compromise of sensitive information.

Mitigation Strategies:

Input Validation and Output Encoding:

 

 

Implement strict input validation to ensure that user inputs are sanitized and adhere to expected formats.

Apply output encoding to sanitize user inputs before displaying them in the browser, preventing the execution of injected scripts.

Политика безопасности контента (CSP):

 

 

Implement a robust Content Security Policy that restricts the sources from which scripts can be loaded. Disallow inline scripts and limit script sources to trusted domains.

Web Message Validation:

 

 

Validate web messages received using the postMessage method to ensure that they come from trusted sources and contain safe content. Validate the origin and structure of incoming messages.

Frame Ancestors Header (X-Frame-Options):

 

 

Set the X-Frame-Options header to DENY or SAMEORIGIN to control whether your web pages can be embedded in iframes. This helps mitigate the risk of exploitation.

Secure Cross-Origin Communication:

 

 

When using web messages for cross-origin communication, implement secure practices such as verifying the origin and ensuring that messages are only accepted from expected sources.

Regular Security Audits:

 

 

Conduct regular security audits, including penetration testing, to identify and address vulnerabilities in your web application. Pay specific attention to DOM XSS vulnerabilities associated with web messages and JavaScript URLs.

Security Awareness Training:

 

 

Educate developers about secure coding practices and the risks associated with DOM XSS. Ensure that the development team is aware of the specific challenges posed by web messages and JavaScript URLs.

Update and Patching:

 

 

Keep all software components, including web servers, frameworks, and libraries, up to date with the latest security patches to address known vulnerabilities.

Другие Услуги

Готовы к безопасности?

Связаться с нами