The Chronicles of DOM-based XSS

A brief overview of DOM-based XSS

DOM-based XSS is a form of cross-site-scripting attack in which an attacker executes an attack vector through the modification of the browser’s Document Object Model (DOM) environment. Unlike stored (persistent) or reflected XSS variants, DOM-based XSS does not involve the attack payload being placed in the server response. As such, server-side checks and validation mechanisms against stored and reflected XSS variants will not stop DOM-based XSS attacks due to their difference in nature. Note that a website or web application needs to include JavaScript that processes parts of the DOM in a way that allows an attacker to inject an XSS script (typically through the URL), which will be then executed by the victim’s browser. A more thorough analysis of how DOM-based XSS works is covered in DOM-based Cross-Site Scripting (XSS) Explained.

DOM-based XSS in the wild

In order to better understand the implications of web applications vulnerable to DOM-based XSS exploits; this article shall be evaluating some recent attacks and vulnerabilities found on highly frequented websites. Further information on finding DOM-based XSS sources is discussed in Finding the source of a DOM-based XSS Vulnerability with Acunetix WVS.

Gawker Media

Gawker Media, the parent company of websites such as Lifehacker and Gizmodo was subject to a DOM-based XSS vulnerability affecting the majority of their websites. The vulnerability was discovered by security researcher David Sopas during September 2013. This vulnerability allowed attackers to take advantage of an un-sanitized location.hash, making DOM-based XSS possible. Gawker promptly reacted by fixing the vulnerability affecting several of its sites in under 24 hours.

Alexa

Alexa Internet Inc., a subsidiary company of Amazon.com was subject to a DOM-based XSS vulnerability identified by security researcher David Sopas during March 2013. The vulnerability, which took 3 months to fix, allowed attackers to take advantage of the un-sanitized tagSrc variable.

Microsoft®

A number of Microsoft websites have been subject to DOM-based XSS. Security researcher Rafay Baloch identified a DOM-based XSS vulnerability in their Microsoft Dynamics Canadian website, and another vulnerability in their Learning website in November 2012.

Separately, DOM-based XSS vulnerabilities on Skype and Surface™ product websites were reported by security researcher Mirza Burhan Baig, during December 2012.

In June 2013 security researcher David Sopas alerted Microsoft to a DOM-based XSS vulnerability on their Pinpoint® website. The website was making use of a third-party system, Ensighten, which was vulnerable to a DOM-bases XSS attack due to the lack of sanitization of the location.hash property, making the company’s website vulnerable in the process. All vulnerabilities have since been fixed by Microsoft.

Apple®

In January 2013, Apple’s store locator page was found to be vulnerable to a DOM-based XSS attack. The vulnerability was once again illustrated in an attack by security researcher, Mirza Burhan Baig. The vulnerability has since been fixed by Apple.

Dow Jones & Company

In July 2013, security researcher David Sopas found a DOM-based XSS vulnerability in an Oracle Eloqua script. The vulnerable script, which was being used on the Dow Jones & Company website allowed for the manipulation of the document.referrer property, therefore causing a DOM-based XSS vulnerability on the Dow Jones & Company website. The vulnerability has since been fixed by Dow Jones & Company.

WP-Pretty Photo WordPress Plugin

The WP-Pretty Photo Plugin, which is estimated to be active and installed on over 70,000 websites, was identified as vulnerable to DOM-based XSS attacks by security researcher Rafay Baloch. The plugin, which is a jQuery-based lightbox WordPress plugin was initially identified as vulnerable on the Kali Linux website. The root of the vulnerability was the lack of sanitization of data before returning content back to the user.

Google™

Google Security Test Engineer Claudio Criscione highlighted, in his talk ‘Drinking the Ocean – Finding XSS at Google Scale’ at GTAC 2013, Google’s security testing team is on the constant lookout for XSS vulnerabilities in their products. However, in November 2012, security researcher Sefano Di Paola identified two DOM-based XSS vulnerabilities concerning Google websites and services. The first vulnerability concerned a script used by Google on a number of its websites, including the Google Toolbar page. The second, was a DOM-based XSS vulnerability that leveraged Cross Origin Resource Sharing (CORS) abuse in the Google’s +1 button. The social media button, which is present on hundreds of millions of websites, was vulnerable through the lack of proper input validation mechanisms. This has since been fixed by Google.

Booking.com

In February 2013, security researcher David Sopas found two DOM-based XSS vulnerabilities on the Booking.com’s iPhone® app page and FAQs section. The site, which is used to reserve over 400,000 rooms each day, was vulnerable to DOM-based XSS attacks due to a lack of sanitization of the location.hash property and using an old version of jQuery.

Facebook

In September 2012, security researcher Stefano Di Paola found a Dom-Based XSS vulnerability in Facebook’s like button. The vulnerability of the social media button was caused by the lack of proper input sanitization on the document.location.href property. Facebook has since fixed this vulnerability.

Yahoo!

In January 2013, security researcher Shahin Ramezany found a DOM-based XSS vulnerability on Yahoo! Mail’s public email service. The vulnerability exploited allowed malicious users to steal a victim’s login cookies via a rouge URL. The attacker may then use the stolen cookies to login and fully control the account. The vulnerability that affected more than 310 million Yahoo! Mail users was caused due to the use of an outdated script, to which a patch had not been applied.

The issue with the vulnerable code in the script was that no sanitization was being performed on an eval() which was using a variable outputted by the function toObject for the top.name property which is controllable by the attacker.

The vulnerability despite being patched by Yahoo! remained exploitable until the company released another patch that fixed the issue entirely.

Tumblr, a Yahoo! acquisition, was also vulnerable to a DOM-based XSS through tow un-sanitized variables found by security researcher David Sopas. The vulnerability, which took over two months to fix was remediated by sanitizing the two vulnerable inputs which both had a source of location.hash.