Reflected DOM Injection - Revision history

Webappsecguy: Clarity

2013-08-05T17:41:43Z

Clarity

Webappsecguy: Clarification of verbiage

2013-08-05T17:33:17Z

Clarification of verbiage

Webappsecguy: Linking to prevention guidance.

2013-08-05T17:32:28Z

Linking to prevention guidance.

Webappsecguy: Cross linking to Data Validation page.

2013-08-05T17:27:34Z

Cross linking to Data Validation page.

Webappsecguy: Citation

2013-08-05T17:16:18Z

Citation

Webappsecguy: Created page with "Reflected DOM Injection, or ''RDI'', is a form of Stored Cross-Site Scripting. The outline of the attack is as follo..."

2013-08-05T16:56:51Z

Created page with "Reflected DOM Injection, or ''RDI'', is a form of Stored Cross-Site Scripting. The outline of the attack is as follo..."

New page

Reflected DOM Injection, or ''RDI'', is a form of [[Cross-site_scripting#Stored_and_Reflected_XSS_Attacks|Stored Cross-Site Scripting]].

The outline of the attack is as follows:

# Crawler G retrieves data elements from attacker page A and commits those contents to persisted storage as G[A] (e.g., a database row).
# End user visits application T. Application T's persisted storage is the set of {G}.
# End user's interaction with application T results in invocation of JavaScript code whereby G[A] is retrieved, and due to a failure neutralize the content in G[A] either prior to its persisted storage or during JavaScript execution from the DOM, G[A] is executed as active code instead of being properly interpolated as scalar-like primitive data value or closure-guarded object data.

Maturely programmed crawlers often attempt to strip malicious data from crawled resources prior to persistent storage. Additionally, maturely programmed applications often utilize output escaping or JavaScript sandboxing to prevent crawled data from being executed instead of rendered. However, obfuscation of data on a crawled resource may sidestep detection, and reliance strictly on crawler sanitization of crawled resources may result in stored cross-site scripts executing if the target JavaScript context does not actively defend against all non-scalar data.

Arshan Dabirsiaghi surmised that vulnerability to this attack would eventually surface in popular search engines during his presentation at [[OWASP_NYC_AppSec_2008_Conference|OWASP NYC AppSec 2008]], ''Next Generation Cross Site Scripting Worms''. Daniel Chechik and Anat Davidi confirmed Dabirsiaghi's surmisal by demonstrating such vulnerability in the Google Translate web application and Yahoo! cached page results during the DEF CON 21 security conference in their August 2013 ''[https://defcon.org/html/defcon-21/dc-21-speakers.html#Chechik Utilizing Popular Websites for Malicious Purposes Using RDI]'' presentation.

[[Category:Attack]]

@@ Line 3: / Line 3: @@
 The outline of the attack is as follows:
-# Crawler G retrieves data elements from attacker page A and commits those contents to persisted storage as G[A] (e.g., a database row).
+# Crawler G retrieves data elements from attacker page A and commits the content to persisted storage as G[A] (e.g., a database row).
 # End user visits application T. Application T's persisted storage is the set of {G}.
-# End user's interaction with application T results in invocation of JavaScript code whereby G[A] is retrieved, and due to a failure neutralize the content in G[A] either prior to its persisted storage or during JavaScript execution from the DOM, G[A] is executed as active code instead of being properly interpolated as scalar-like primitive data value or closure-guarded object data.
+# End user's interaction with application T results in invocation of JavaScript code whereby G[A] is retrieved, and due to a failure neutralize the content in G[A] either prior to its persisted storage or during JavaScript execution at page runtime on the DOM, G[A] is executed as active code instead of being properly interpolated as a scalar-like primitive data value or closure-guarded object data.
-Maturely programmed crawlers often attempt to strip malicious data from crawled resources prior to persistent storage. Additionally, maturely programmed applications often utilize output escaping or JavaScript sandboxing to prevent crawled data from being executed instead of rendered. However, obfuscation of data on a crawled resource may sidestep detection, and reliance strictly on crawler sanitization of crawled resources may result in stored cross-site scripts executing if the target JavaScript context does not actively defend against it. In summary, when the attack is successful, the attack succeeds due to improper [[Data_Validation|data validation]].
+Maturely programmed crawlers often attempt to strip malicious data from crawled resources prior to persistent storage. Additionally, maturely programmed applications often utilize output escaping or JavaScript sandboxing to prevent crawled data from being executed (instead of being safely rendered). Nonetheless, obfuscation of data on a crawled resource may sidestep detection algorithms (although obfuscation may hint at an attempted attack), and reliance strictly on crawler sanitization of crawled resources may result in stored cross-site scripts executing if the target JavaScript context does not actively defend against it. In summary, when the attack is successful, the attack succeeds due to improper [[Data_Validation|data validation]].
 Arshan Dabirsiaghi surmised that vulnerability to this attack would eventually surface in popular search engines during his presentation at [[OWASP_NYC_AppSec_2008_Conference|OWASP NYC AppSec 2008]] and [[OWASP_AppSec_Europe_2008_-_Belgium|AppSec Europe 2008]], ''Next Generation Cross Site Scripting Worms'' (see also ''[https://www.owasp.org/images/1/1b/OWASP-AppSecEU08-Dabirsiaghi.pdf Building and Stopping Next Generation XSS Worms (May 8, 2008)]'', last accessed August 5, 2013). Daniel Chechik and Anat Davidi confirmed Dabirsiaghi's surmisal by demonstrating such vulnerability in the Google Translate web application and Yahoo! cached page results during the DEF CON 21 security conference in their August 2013 ''[https://defcon.org/html/defcon-21/dc-21-speakers.html#Chechik Utilizing Popular Websites for Malicious Purposes Using RDI]'' presentation.

@@ Line 11: / Line 11: @@
 Arshan Dabirsiaghi surmised that vulnerability to this attack would eventually surface in popular search engines during his presentation at [[OWASP_NYC_AppSec_2008_Conference|OWASP NYC AppSec 2008]] and [[OWASP_AppSec_Europe_2008_-_Belgium|AppSec Europe 2008]], ''Next Generation Cross Site Scripting Worms'' (see also ''[https://www.owasp.org/images/1/1b/OWASP-AppSecEU08-Dabirsiaghi.pdf Building and Stopping Next Generation XSS Worms (May 8, 2008)]'', last accessed August 5, 2013). Daniel Chechik and Anat Davidi confirmed Dabirsiaghi's surmisal by demonstrating such vulnerability in the Google Translate web application and Yahoo! cached page results during the DEF CON 21 security conference in their August 2013 ''[https://defcon.org/html/defcon-21/dc-21-speakers.html#Chechik Utilizing Popular Websites for Malicious Purposes Using RDI]'' presentation.
-The [[DOM_based_XSS_Prevention_Cheat_Sheet|DOM-based XSS Prevention Cheat Sheet]] provides guidance against this attack.
+The [[DOM_based_XSS_Prevention_Cheat_Sheet|DOM-based XSS Prevention Cheat Sheet]] provides guidance on defense against this attack.
 [[Category:Attack]]

@@ Line 7: / Line 7: @@
 # End user's interaction with application T results in invocation of JavaScript code whereby G[A] is retrieved, and due to a failure neutralize the content in G[A] either prior to its persisted storage or during JavaScript execution from the DOM, G[A] is executed as active code instead of being properly interpolated as scalar-like primitive data value or closure-guarded object data.
-Maturely programmed crawlers often attempt to strip malicious data from crawled resources prior to persistent storage. Additionally, maturely programmed applications often utilize output escaping or JavaScript sandboxing to prevent crawled data from being executed instead of rendered. However, obfuscation of data on a crawled resource may sidestep detection, and reliance strictly on crawler sanitization of crawled resources may result in stored cross-site scripts executing if the target JavaScript context does not actively defend against it. In summary, the attack succeeds due to improper [[Data_Validation|data validation]]
+Maturely programmed crawlers often attempt to strip malicious data from crawled resources prior to persistent storage. Additionally, maturely programmed applications often utilize output escaping or JavaScript sandboxing to prevent crawled data from being executed instead of rendered. However, obfuscation of data on a crawled resource may sidestep detection, and reliance strictly on crawler sanitization of crawled resources may result in stored cross-site scripts executing if the target JavaScript context does not actively defend against it. In summary, when the attack is successful, the attack succeeds due to improper [[Data_Validation|data validation]].
 Arshan Dabirsiaghi surmised that vulnerability to this attack would eventually surface in popular search engines during his presentation at [[OWASP_NYC_AppSec_2008_Conference|OWASP NYC AppSec 2008]] and [[OWASP_AppSec_Europe_2008_-_Belgium|AppSec Europe 2008]], ''Next Generation Cross Site Scripting Worms'' (see also ''[https://www.owasp.org/images/1/1b/OWASP-AppSecEU08-Dabirsiaghi.pdf Building and Stopping Next Generation XSS Worms (May 8, 2008)]'', last accessed August 5, 2013). Daniel Chechik and Anat Davidi confirmed Dabirsiaghi's surmisal by demonstrating such vulnerability in the Google Translate web application and Yahoo! cached page results during the DEF CON 21 security conference in their August 2013 ''[https://defcon.org/html/defcon-21/dc-21-speakers.html#Chechik Utilizing Popular Websites for Malicious Purposes Using RDI]'' presentation.
 [[Category:Attack]]

@@ Line 7: / Line 7: @@
 # End user's interaction with application T results in invocation of JavaScript code whereby G[A] is retrieved, and due to a failure neutralize the content in G[A] either prior to its persisted storage or during JavaScript execution from the DOM, G[A] is executed as active code instead of being properly interpolated as scalar-like primitive data value or closure-guarded object data.
-Maturely programmed crawlers often attempt to strip malicious data from crawled resources prior to persistent storage. Additionally, maturely programmed applications often utilize output escaping or JavaScript sandboxing to prevent crawled data from being executed instead of rendered. However, obfuscation of data on a crawled resource may sidestep detection, and reliance strictly on crawler sanitization of crawled resources may result in stored cross-site scripts executing if the target JavaScript context does not actively defend against all non-scalar data.
+Maturely programmed crawlers often attempt to strip malicious data from crawled resources prior to persistent storage. Additionally, maturely programmed applications often utilize output escaping or JavaScript sandboxing to prevent crawled data from being executed instead of rendered. However, obfuscation of data on a crawled resource may sidestep detection, and reliance strictly on crawler sanitization of crawled resources may result in stored cross-site scripts executing if the target JavaScript context does not actively defend against it. In summary, the attack succeeds due to improper [[Data_Validation|data validation]]
 Arshan Dabirsiaghi surmised that vulnerability to this attack would eventually surface in popular search engines during his presentation at [[OWASP_NYC_AppSec_2008_Conference|OWASP NYC AppSec 2008]] and [[OWASP_AppSec_Europe_2008_-_Belgium|AppSec Europe 2008]], ''Next Generation Cross Site Scripting Worms'' (see also ''[https://www.owasp.org/images/1/1b/OWASP-AppSecEU08-Dabirsiaghi.pdf Building and Stopping Next Generation XSS Worms (May 8, 2008)]'', last accessed August 5, 2013). Daniel Chechik and Anat Davidi confirmed Dabirsiaghi's surmisal by demonstrating such vulnerability in the Google Translate web application and Yahoo! cached page results during the DEF CON 21 security conference in their August 2013 ''[https://defcon.org/html/defcon-21/dc-21-speakers.html#Chechik Utilizing Popular Websites for Malicious Purposes Using RDI]'' presentation.