I was looking here, and I understand that reflected-DOM XSS(Client-side XSS) does not go through a server-side script but Reflected XSS (Server-side XSS) does, but neither hits/gets stored in the database. But I am confused on what one injection can do that the other can't. What are the dangers of XSS going through a server-side script vs being injected right into the client's page (the script still runs on the client side regardless)? In addition, is there such a thing as a persistent-DOM XSS(client-side XSS) injection, if how?
2 Answers
The impact of XSS is the same regardless of whether it is stored/reflective or DOM-based/server-side - the attacker gets full control of the web session. Stored XSS is more readily exploitable (you don't need to get a user to click a link) so it's more serious. Whether a vulnerability is DOM-based or server-side doesn't greatly affect the severity.
You can have stored DOM-based XSS. As an example, consider a e-commerce site that allows users to post reviews of products. It's a single page application, so when you view a product, the JavaScript sends an Ajax request to fetch product information. The Ajax back-end returns JSON properly escaped, so it's not vulnerable. However, the JavaScript renders the returned data as HTML. This creates an XSS vulnerability: a malicious user can submit a review containing an XSS attack, and when a victim user views that product, the XSS payload executes in their browser.
- 32,906
- 8
- 93
- 130
-
1in your example, why is that DOM based and not just regular stored XSS? How is writing the review different than storing a script in a web-blog which is considered regular stored XSS? Is writing the review changing the DOM whereas a blog post may not be? – dylan7 Aug 20 '15 at 16:48
-
3@dylan7 - because JavaScript is doing the rendering, rather than a server-side template – paj28 Aug 20 '15 at 18:14
Stored or Persistent XSS is a kind of XSS vulnerability where the untrusted user input is processed and stored by the server in a file or database without any validation and this untrusted data is fetched from the storage and is reflected back in response without encoding or escaping resulting in permanent code execution at the browser whenever the stored data is reflected in the response.
Reflected or Non-Persistent XSS is a kind of XSS vulnerability where the untrusted user input is immediately processed by the server without any validation and is reflected back in the response without encoding or escaping resulting in code execution at the browser.
DOM Based XSS is a form of client side XSS which occurs in an environment where the source of the data is in the DOM, the sink is also in the DOM, and the data flow never leaves the browser. It occurs when an untrusted data is given at the source is executed as a result of modifying the DOM “environment” in the browser. DOM XSS occurs when the untrusted data is not in escaped or encoded form with respect to the context.
There is also mXSS or Mutation XSS is a kind of XSS vulnerability that occurs when the untrusted data is processed in the context of DOM's innerHTML property and get mutated by the browser, resulting as a valid XSS vector. In mXSS an user specified data that appears harmless may pass through the client side or server side XSS Filters if present or not and get mutated by the browser's execution engine and reflect back as a valid XSS vector.
In short stored XSS is the biggest threat because it allows to steal cookies and compromise the website (if HTTPOnly is not suppored) without users interaction. Reflected or DOM XSS can also be very useful for attackers for example performing phishing attacks.
- 1,580
- 3
- 15
- 27