DOM Injection Attacks

Besides the classic Cross-Site Scripting where the playload moves to the server and back, there is another form of user agent injection attacks, which does not depend on the payload to be embedded in the response, but rather on thepayload in the Document Object Model (DOM). The DOM is the standard object model in browsers to represent HTML documents and meta data in an object-oriented way, whichis provided to the JavaScript code. The most important object is the document object, which not only includes all elements from the HTML document, but also meta-objects,such as URL, URLUnencoded, location (also in window.location) or referrer, which contain the complete URL of the current document or the referring one, respectively. There aremany web applications that access the DOM, and a few parse the meta-objects mentioned above, which makes them vulnerable to DOM-based injection, as in http://www.webappsec.org/projects/articles/071105.html. Here is an example of avulnerable script, which is supposed to extract the user's name from the document's URL (by searching for "name=" and returning the string after it):
 
Hello <script> var pos = document.URL.indexOf("name=")+5;

document.write(document.URL.substring(pos,document.URL.length));
</script>

Do not think that everyone enters his real name like Joe or Alice, take a look at this user name:

http://www.domain.com/welcome?name=
<script>alert(document.cookie)</script>

And if the server filters the parameter name, then xyzname will not be filtered, but the script in the document will use the first occurence:
 
http://www.domain.com/welcome?xyzname=
<script>alert(document.cookie)</script>&name=Alice
 
Notice the number sign (#) here, it is usually used to refer to a part of a document and never sent to the server, so any server-side checks will have no effect, but the local script will use the malicious code nevertheless.
 
http://www.domain.com/welcome#name=
<script>alert(document.cookie)</script>
 
To be continued …