DOM-based XSS/tr

DOM tabanlı XSS hakkında
DOM tabanlı XSS ​​(veya tür-0 XSS), istemci tarafındaki betikleri (JavaScript gibi) sayfanın DOM 'u değiştirip bir saldırganın JavaScript çalıştırmasına izin verdiğinde kurbanın tarayıcısında meydana gelen bir saldırı türüdür.

Sunucu çalıştırılabilir JavaScript'i tarayıcıya döndürmediğinden, bu XSS sınıfı Reflective XSS (tip-1 XSS) ve Stored XSS'den (tip-2 XSS) farklıdır. Bunun yerine, sunucu tarafından temizlenmiş veya muhtemelen sunucuya hiç gönderilmemiş veriler, sayfada çalışan mevcut kod tarafından çalıştırılabilir JavaScript'e dönüştürülür.

Örneğin, OWASP web sitesinden şu örnek betiğini düşünün:

... Dilinizi seçiniz: document.write(""+document.location.href.substring(document.location.href.indexOf("default=")+8)+""); document.write("English"); ...

Sayfa, amaçlanan dil dizesi yerine " alert("xss") " olarak ayarlanmış "default" parametresi ile yüklenirse, fazladan betik sayfanın DOM'sine eklenir ve sayfa yüklenirken çalıştırılır.

Önleme
Although JavaScript can be added to MediaWiki sites without a formal code review process, these scripts can put other users in danger if they don't prevent these attacks.

As with standard XSS prevention, you should validate the data coming in when possible, and always escape the data as your script writes out to the page. In order to do this escaping, you should avoid using some methods that make escaping difficult, and instead use methods that make separation of HTML structure and values or text easy.

It can be tempting to use data attributes to provide information for javascript. This is generally good practice, but remember that users are allowed to make elements with arbitrary data attributes too, so any information taken from a data attribute (e.g. using jQuery's ) should be treated as untrusted input and validated.

Avoid
In general, these functions should be avoided if possible. They can be made secure, but require an understanding of how each browser's JavaScript engine works to make sure that all XSS vectors have been mitigated.

Element's  and   methods

JQuery's  method (which uses .innerHTML)

Using user data in jQuery's element creation

jQuery's append method, when you are not certain of the type and value of every node or object you are appending. If it is a string of (apparent) HTML, jQuery will implicitly convert it to an element.

or

Using user data in a string passed to,  , an object's event handler, or   url targets

Using user data in strings that generate CSS

Use
When updating the page's DOM, you should typically use this pattern of functions for creating DOM elements and inserting them into the DOM:

As shown, you can use  to create the element, and any attributes that do not include user-controlled data. You can also use to set the element's attributes.

When you have a correctly constructed element, you can use or  to insert the element into the DOM. But see above; do not use append or appendTo if you do not know exactly what you are appending.

The method can be used to set the text body of an element, and will correctly escape any HTML.

If you're not using jQuery, you can use

Because the JavaScript is able to clearly interpret what strings are meant to represent element names, attribute names, and attribute values, it will correctly escape any HTML characters that may have been inserted into user-controlled data.

Sanitization
There may be times when you will need to mix user-controlled data with HTML. In those cases, you will need to ensure that the user-controlled data is properly escaped for the HTML context where it is being inserted.

For example, inserting data into the text of a div element:

Requires different escaping than if you insert that user-controlled data into the id attribute of the div element.

A list of contexts and escaping rules can be found in the OWASP XSS Prevention Cheat Sheet

For the most simple case (inserting user-controlled data into the text of an element), you can use jQuery's method or.