Java : DOM XSS

DOM-based XSS is possible.

Cross-site scripting (XSS) is one of the most common types of attacks on web applications. XSS attacks take seventh place in the “OWASP Top 10 2017” list of ten most significant vulnerabilities in web applications.

The main stage of any XSS-attack is an execution of a malicious code in the context of a vulnerable application imperceptible for the victim. For this purpose, the functionality of the client application (browser) is used that allows to automatically execute scripts embedded in web page code. In most cases, these malicious scripts are implemented in JavaScript.

Consequences of XSS vary from violations of application functionality to complete loss of privacy of user data. The malicious code during the XSS attack can steal user HTTP-cookie, which gives an attacker the ability to make requests to the server on behalf of the user.

OWASP suggests the following classification of XSS attacks:

• Server type XSS occurs when data from an untrusted source is included in the response returned by the server. The source of such data can be both user input and server database (where it had been previously injected by an attacker who exploited vulnerabilities in the server-side application).
• Client type XSS occurs when the raw data from the user input contains code that changes the Document Object Model (DOM) of the web page received from the server. The source of such data can be both the DOM and the data received from the server (e.g., in response to an AJAX request).

Typical server type attack scenario:

1. Unvalidated data, usually from a HTTP request, gets into the server part of the application.
2. The server dynamically generates a web page that contains the unvalidated data.
3. In the process of generating a web page server does not prevent the inclusion of an executable code, that can be executed in the client (browser), such as JavaScript code language, HTML-tags, HTML-attributes, Flash, ActiveX, etc., in page’s code.
4. The victim’s client application displays the web page that contains the malicious code injected via data from an untrusted source.
5. Since malicious code is injected in the web page coming from the known server, the client part of the application (browser) executes it with the rights set for the application.
6. This violates the same-origin policy, according to which the code from the one source must not get an access to resources from another source.

Client type attacks are executed in a similar way with the only difference that the malicious code is injected during the phase of the client application work with the document object model received from the server.