This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "Reflected DOM Injection"

From OWASP
Jump to: navigation, search
m (Cross linking to Data Validation page.)
m (Linking to prevention guidance.)
Line 7: Line 7:
 
# End user's interaction with application T results in invocation of JavaScript code whereby G[A] is retrieved, and due to a failure neutralize the content in G[A] either prior to its persisted storage or during JavaScript execution from the DOM, G[A] is executed as active code instead of being properly interpolated as scalar-like primitive data value or closure-guarded object data.
 
# End user's interaction with application T results in invocation of JavaScript code whereby G[A] is retrieved, and due to a failure neutralize the content in G[A] either prior to its persisted storage or during JavaScript execution from the DOM, G[A] is executed as active code instead of being properly interpolated as scalar-like primitive data value or closure-guarded object data.
  
Maturely programmed crawlers often attempt to strip malicious data from crawled resources prior to persistent storage. Additionally, maturely programmed applications often utilize output escaping or JavaScript sandboxing to prevent crawled data from being executed instead of rendered. However, obfuscation of data on a crawled resource may sidestep detection, and reliance strictly on crawler sanitization of crawled resources may result in stored cross-site scripts executing if the target JavaScript context does not actively defend against it. In summary, the attack succeeds due to improper [[Data_Validation|data validation]]
+
Maturely programmed crawlers often attempt to strip malicious data from crawled resources prior to persistent storage. Additionally, maturely programmed applications often utilize output escaping or JavaScript sandboxing to prevent crawled data from being executed instead of rendered. However, obfuscation of data on a crawled resource may sidestep detection, and reliance strictly on crawler sanitization of crawled resources may result in stored cross-site scripts executing if the target JavaScript context does not actively defend against it. In summary, when the attack is successful, the attack succeeds due to improper [[Data_Validation|data validation]].
  
 
Arshan Dabirsiaghi surmised that vulnerability to this attack would eventually surface in popular search engines during his presentation at [[OWASP_NYC_AppSec_2008_Conference|OWASP NYC AppSec 2008]] and [[OWASP_AppSec_Europe_2008_-_Belgium|AppSec Europe 2008]], ''Next Generation Cross Site Scripting Worms'' (see also ''[https://www.owasp.org/images/1/1b/OWASP-AppSecEU08-Dabirsiaghi.pdf Building and Stopping Next Generation XSS Worms (May 8, 2008)]'', last accessed August 5, 2013). Daniel Chechik and Anat Davidi confirmed Dabirsiaghi's surmisal by demonstrating such vulnerability in the Google Translate web application and Yahoo! cached page results during the DEF CON 21 security conference in their August 2013 ''[https://defcon.org/html/defcon-21/dc-21-speakers.html#Chechik Utilizing Popular Websites for Malicious Purposes Using RDI]'' presentation.
 
Arshan Dabirsiaghi surmised that vulnerability to this attack would eventually surface in popular search engines during his presentation at [[OWASP_NYC_AppSec_2008_Conference|OWASP NYC AppSec 2008]] and [[OWASP_AppSec_Europe_2008_-_Belgium|AppSec Europe 2008]], ''Next Generation Cross Site Scripting Worms'' (see also ''[https://www.owasp.org/images/1/1b/OWASP-AppSecEU08-Dabirsiaghi.pdf Building and Stopping Next Generation XSS Worms (May 8, 2008)]'', last accessed August 5, 2013). Daniel Chechik and Anat Davidi confirmed Dabirsiaghi's surmisal by demonstrating such vulnerability in the Google Translate web application and Yahoo! cached page results during the DEF CON 21 security conference in their August 2013 ''[https://defcon.org/html/defcon-21/dc-21-speakers.html#Chechik Utilizing Popular Websites for Malicious Purposes Using RDI]'' presentation.
 +
 +
The [[DOM_based_XSS_Prevention_Cheat_Sheet|DOM-based XSS Prevention Cheat Sheet]] provides guidance against this attack.
  
  
 
[[Category:Attack]]
 
[[Category:Attack]]

Revision as of 17:32, 5 August 2013

Reflected DOM Injection, or RDI, is a form of Stored Cross-Site Scripting.

The outline of the attack is as follows:

  1. Crawler G retrieves data elements from attacker page A and commits those contents to persisted storage as G[A] (e.g., a database row).
  2. End user visits application T. Application T's persisted storage is the set of {G}.
  3. End user's interaction with application T results in invocation of JavaScript code whereby G[A] is retrieved, and due to a failure neutralize the content in G[A] either prior to its persisted storage or during JavaScript execution from the DOM, G[A] is executed as active code instead of being properly interpolated as scalar-like primitive data value or closure-guarded object data.

Maturely programmed crawlers often attempt to strip malicious data from crawled resources prior to persistent storage. Additionally, maturely programmed applications often utilize output escaping or JavaScript sandboxing to prevent crawled data from being executed instead of rendered. However, obfuscation of data on a crawled resource may sidestep detection, and reliance strictly on crawler sanitization of crawled resources may result in stored cross-site scripts executing if the target JavaScript context does not actively defend against it. In summary, when the attack is successful, the attack succeeds due to improper data validation.

Arshan Dabirsiaghi surmised that vulnerability to this attack would eventually surface in popular search engines during his presentation at OWASP NYC AppSec 2008 and AppSec Europe 2008, Next Generation Cross Site Scripting Worms (see also Building and Stopping Next Generation XSS Worms (May 8, 2008), last accessed August 5, 2013). Daniel Chechik and Anat Davidi confirmed Dabirsiaghi's surmisal by demonstrating such vulnerability in the Google Translate web application and Yahoo! cached page results during the DEF CON 21 security conference in their August 2013 Utilizing Popular Websites for Malicious Purposes Using RDI presentation.

The DOM-based XSS Prevention Cheat Sheet provides guidance against this attack.