CODEWITHSUNDEEP
javascripthtmlxsssecurity
frustrated_george
frustrated_george

Reputation: 109

Is this vulnerable to dom-based xss?

I have a disagreement with a security auditor, whether a snippet of html/js is vulnerable to XSS or not.

In short this is it:

<html>
<form name="myform" action="page.php" method="post" onsubmit="return validate()">
<input name="field" type="text" size="50" />
<input type="submit" value="Submit" />
</form>

<script>
function validate()
{
  var str=document.myform.field.value;
  alert("Error in " + str);
  return false
}
</script>
</html>

So, my auditor says that this can be vulnerable to DOM-based XSS, but has not yet given me an example.

I personally think that it is not, since because of the + inside alert, str is a string so it's not executed. For example if someone provides "document.cookie" in the form and hits submit, then the alert box is going to print "Error in document.cookie" (and not the actual cookie).

Upvotes: 3

Views: 1590

Answers (2)

gilly3
gilly3

Reputation: 91497

The only way this could be a potential threat is if you are including scripts that are not under your control from an untrustworthy source.

  • The malicious script could overwrite alert to be another function. For example, it could send the data passed to alert to its own servers.
  • The malicious script could overwrite the value of document.myform.field with an object containing a value property. The alert could be thus made to display a message that looked like a different error message, such as:

Error in authentication. Please go to www.phisherman.com and enter your user name and password.

If you are linking to scripts from untrustworthy sources, you have much greater security concerns than the above.

If you are linking to no such untrustworthy scripts, then no, this is not vulnerable to DOM-based XSS. form.field.value contains a string. It is not evaluated as script, escape characters have no effect, the string contained in the textbox will be displayed in the alert window. Nothing a user enters in that field could be used to harm your servers or corrupt your data based on the code you've posted.

I'd say that if your auditor is concerned with "DOM-based XSS" where-in a user might cause harm to your servers by manipulating the DOM, your auditor does not know much about DOM and browser-based JavaScript. A user can crack open a JavaScript console and execute all manner of scripts, including XMLHttpRequests to your server that can be made to look like they came from your own script. Precautions need to be made on the server for those types of attacks. Worrying about the security risks to the DOM or UI from user input in form fields is silly.

Upvotes: 3

Pointy
Pointy

Reputation: 413709

There is definitely no XSS problem with that.

What your "validate()" function does is:

  1. Via the DOM API, copy a reference to a property of a DOM node (the "value" property of the <input> element) to a JavaScript variable.
  2. Perform a JavaScript string concatenation operation. At that point, it absolutely does not matter what the string of characters is.
  3. Pass the result string to the window.alert(). The "alert()" function always treats its argument strictly as a string. The only "special" character is newline, and all that does is cause text to wrap to a new line.

In particular, note that:

     window.alert("<script>var u_r_so_hacked = true;</script>");

will show the "" tags just like that, angle brackets and all.

Upvotes: 2

Related Questions