graps XSS or Cross-Site Scripting has become one of the most popular web applications are gaps come in third place according to the classification OWASP site for 10 months and more gaps prevalent in Web applications for the year 2013.
It is true that the gaps are not XSS vulnerabilities high risk because they do not directly affect the site or server, but rather affect on the client side of the Client Side or user, and you need to add a bit of social engineering even up to a strong attack through them.
But this does not prevent the gaps XSS was a cause essential to penetrate the largest companies and international locations as happened months ago with private forums located ubuntu famous and has been stealing information about the two million user by exploiting a loophole XSS Active as the gaps the Xss also been a cause a major breakthrough in the Apple site for developers during the same period. It is certain that this kind of gaps may pose a risk much greater than the gravity of the SQL Injection gaps in the case that the hacker exploit are intelligent and strong.
Our topic today where we will talk mainly on a different kind of thing some gaps and that the XSS-called Dom-Based XSS and it may be many who read this article did not recognize this kind of gaps xss or know him only in name.
It is well known that when all of the most popular types of XSS flaws are what are called the Reflected XSS and the Stored XSS.
But there are also other types of the same effect for XSS flaws such as the Flash XSS and Dom-Based XSS and the last is that we will talk about today in this article, God willing.
What is the idea of gaps XSS and how it works?
As we know gaps XSS is dangerous to modify the content of the web pages that appear to the user and by injection codes HTML or Javascript, as if you are exactly the amendment on the files, html, javascript for the site through one programs of your web page editor. Fetgrat XSS help the hacker to modify the Web pages and pages work forged while retaining the same page link and domain, as exploited by some to steal Sessions or the Cookies for users and is considered the most dangerous exploit gaps XSS and through the use of a function of JavaScript that can read evidence cookies like document.cookie and also Hackers used the XSS others gaps in penetrating pages of the site if the gap-type Stored Xss.
Let's first review the modus operandi of XSS even Imkna then understand the idea of gaps Dom Based Xss easily, simply gaps XSS occurs when the user Parcel entrance of the page and the page to take this entrance from the user and display it as it is directly in HTML by functions of programming, for example, print and echo
A very simple example on that page that requires the user to enter his name Profile
And enters her name
Ahmed Aboul-Ela
After that you view the sentence " Welcome Ahmed Aboul-ELa "
And if we reviewed the html code will be as follows
Beautiful, but what will happen if you enter a name for the page is accompanied by a special pal html tags, for example, this Name
<h1> Ahmed Aboul-ELA </ h1>
Simply the result will be as follows
And if we reviewed the html code this time will be as follows
If now clear we have a problem, clearly, when you typed the name is accompanied by the tags own pal html browser here did not understand that this is just the name of the person, but he has translated codes html in the name and was introduced as required and then change the form of the name in the page and become a larger font . If the whole problem was that the page took the name from the user and shown directly without any verification of that name may contain special codes pal HTML.
Let us now here we define who is responsible for taking the name of the user on the page and is responsible for showing the name in the html, in this case, is responsible for taking the name is a function of $ _POST in php programming language and is responsible for showing the name in the html is a function of echo. Now this introduction was necessary for us so that we can understand the idea of the work of dom-based xss in the next section.
What are the gaps Dom Based Xss and how does it work?
XSS flaws simply do not differ much in Mvanmoha gaps refelected xss, but the difference between them and XSS flaws in the method and manner, as we mentioned in the gaps xss traditional entrance of the reception of the user is the PHP language by a function of $ _POST or $ _GET which can read through the input form on a page or through a link. But in case of Dom-Based van from taking the entrance of the user is the javascript functions and prints from the entrance is also the javascript functions without the need for any other programming languages or even a web server to translate and play the files.
Will call functions that are taking the entrance of user functions are the sources and the functions that you print this portal and are shown in the html sinks . And now we begin to explain some of the functions of sources and sinks and see how we can then lead to gaps XSS.
What are the functions Sources?
Functions are functions of the sources in the language of javascript and through which it can send you to the entrance of the page in this case often be the entrance of the sender user through page link or url, for example, we have the following link:
http://site.com/home/file.html?name=ahmed # Securtiy4arabs
It is possible through these functions that you read the entire page link or page only path home / file.html / or the value of the name or hash entrance ahmed crown security4arabs exactly like the work of link analysis and divided into parts, the part is a page path and file name of the page and part variables or parameters are sent to the page
And can be done through javascript by simply following functions:
Functions you read the entire page link
- document.URL
- document.documentURI
- document.URLUnencoded
- document.baseURI
- location
- location.href
An example of this I am writing a page containing JavaScript code follows:
<script>
alert (location.href);
</ script>
And then I run the page, and the result is as follows:
We note that the page has to show msg box contains a link page that you have played as we have left in the file html, and the same will be the case with the rest of the functions that we mentioning, will appear in full page link, now's address to another function which reads the name of the page only, without input or the name of the domain.
Functions you read the name of the page and track
location.pathname
With the use of the same code page and just replace the former name of the function as the function becomes location.href we have the following result
The idea is simple is not it? Some are now completing the other functions, which can read part of the previous page link Kaldoual.
Functions you read or input parameters only sent to the page
- location.search
An example of this page you run this function and sent them some input, for example,
http://site.com/page.html?name=ahmed
The result is as follows:
Finally, we mention the function used in many locations and is a function that read the hashtag # in link
Functions you read HashTag
- location.hash
We run the page again, this function and see the result
We only link to open the page with the addition of # Ahmed Aboul-Ela at the end of the link and the page showing only that part of the link now we got to all the functions, sources now proceed to the functions that can show these sources in director Page
What are the functions Sinks?
Sinks functions simply as mentioned is responsible for a show and write the value sent through a function of the sources functions exactly as a function of print in programming languages
Functions of the sinks are not difficult and I will mention the most important
- Document.write hash and doucment.writeln
Is a function equivalent to the print function in programming languages whereupon prints speak directly within HTML code
An example of this page containing the following HTML code
<script>
document.write ('hello world');
</ script>
The result will be as we have in the picture
- Hash anyElement.innerHTML
This function simply by reading or writing the code inside the page in a specific Tag
For example document.body.innerHTML will read the content of <body> </ body> fully
And if you do document.body.innerHTML = 'ahmed' will be doing a complete replacement for the content of the crown body and writing the word Ahmed
An example of this Code Next Page
<html>
<body>
Just a text in body tag
<script>
Document.body.innerHTML = 'Www.security4arabs.com';
</ script>
</ body>
</ html>
When you run the JavaScript page will change the original content of the page
and it's written Just a text in body tag word www.security4arabs.com
and it's written Just a text in body tag word www.security4arabs.com
We also note did not appear sentence just a text in body tag now we got to the most important functions html sinks and that you can write the words on the page and we got to the functions Sources that can send the entrance to page through the link
Now we address the last step and how are gaps dom based xss through these functions
How gaps occur Dom-Based Xss using functions Sources and Sinks
As we have stated in the past that xss occurs when a user sends to the portal page and the page to take the entrance and introduced directly into the page
, and we now know us how it is possible that you read part of the link page as input and we learned how we could no talk through javascript within the page
, and we now know us how it is possible that you read part of the link page as input and we learned how we could no talk through javascript within the page
If now checks for a minimum both sides of the equation that are causing gaps XSS, see in the next section how can you perform XSS vulnerability only through Javascript
Will recount more than rhetoric and let's move directly to the next page code and see what to do
<html>
<body>
<script>
Document.body.innerHTML = Location.hash;
</ script>
</ body>
Now only given the code page can understand what to do
Simply page you write location.hash and is # hash crown, which comes at the end of page link inside <body> </ body>
Now we open the page through the browser and send it any words after the # to see if this is true or not.
I've had a beautiful page print the hash tag as when we wrote and change the word Test will change the result in the page
Ok now what would happen if we sent word test accompanied Becuad html or javascript?
Such will be sent to a page Xss Payload Kalnala:
<img src=x onerror=alert(1337)>
Let's see the result 
Did you notice what happened? Now proven to be a minimum gap xss clearly and alert code was run for 1337 this was just a simple example illustrates our idea of the gaps Dom-Based Xss
this was just a simple example illustrates our idea of the gaps Dom-Based XssNow one might ask me Do you think that such gaps may be present in many locations!?
Yes, of course, the answer Fetgrat Dom Based Xss appeared in the larger global sites such as google, microsoft, yahoo, Adobe and many others
And this is an example of one of the gaps that you heading off myself and reported by the company Redhat
And the gap was in the main registration page to create accounts for the site redhat.com
How can discover gaps Dom Based Xss?
Discover gaps Dom-Based Xss is not an easy process because they need to examine and scrutinize the codes Javascript and most sites now use a lot of codes Javascript up code where the thousands of lines and it will become difficult to doing so and examine these codes manually
But he became there are tools to help discover such gaps and of the most famous and most powerful of these tools is a tool Dominitor, but they are not free, unfortunately, and the tool is a browser firefox rate can Ptba the Dom pages and can discover the sinks and sources Once you visit the page through the browser
ليست هناك تعليقات:
إرسال تعليق