I will not be gng 2 deep cz its quite confusioning i will be posting abt it in detail later :D although m also working on it dese days :P
|Fig 1.2||Fig 1.2|
DOM is a World Wide Web Consortium (W3C) specification, which defines the object model for representing XML and HTML structures. In the eXtensible Markup Language (XML) world, there are mainly two types of parsers, DOM and SAX. SAX is a parsing mechanism, which is significantly faster and less memory-intensive but also not very intuitive, because it is not easy to go back to the document nodes (i.e. the parsing mechanism is one way). On the other hand, DOM-based parsers load the entire document as an object structure, which contains methods and variables to easily move around the document and modify nodes, values, and attributes on the fly.
Here is a simple example of a DOM-base XSS provided by Amit Klein in his paper “Dom Based Cross Site Scripting or XSS of the Third Kind”:
<HTML> <TITLE>Welcome!</TITLE> Hi <SCRIPT> var pos=document.URL.indexOf(“name=”)+5; document.write(document.URL.substring(pos,document.URL.length)); </SCRIPT> <BR> Welcome to our system … </HTML>If we analyze the code of the example, you will see that the developer has forgotten to sanitize the value of the “name” get parameter, which is subsequently written inside the document as soon as it is retrieved. In the following section, we study a few more DOM based XSS examples based on a fictitious application that we created.
First, we have to create a page on the local system that contains the following code:
|Fig 1.3||Fig 1.4|
** jQuery is a useful AJAX library created by John Resig. jQuery significantly simplifies AJAX development, and makes it easy for developers to code in a cross-browser manner.**
$(this).html('<p>Welcome ' + name + '! You can type your message into the form below.</p><textarea class="pane">' + name + ' > </textarea>');As seen, the application composes a HTML string via JQuery’s HTML function.The html function modifies the content of the selected element.This string includes the data from the nickname input field. In our case, the input’s value is “Bob.” However, because the application fails to sanitize the name, we can virtually input any other type of HTML, even script elements, as shown on Figure 1.5
|Fig 1.5||Fig 1.6|
<p>Welcome <script>alert('xss')</script>! You can type your message into the form below.</p><textarea class="pane"><script>alert('xss') </script> > </textarea>This is known as non-persistent DOM-based XSS. Figure 1.6 shows the output of the exploit.