Is this vulnerable to dom-based xss?

I have a disagreement with a security auditor, whether a snippet of html/js is vulnerable to XSS or not.

In short this is it:

<html>
<form name="myform" action="page.php" method="post" onsubmit="return validate()">
<input name="field" type="text" size="50" />
<input type="submit" value="Submit" />
</form>

<script>
function validate()
{
  var str=document.myform.field.value;
  alert("Error in " + str);
  return false
}
</script>
</html>

So, my auditor says that this can be vulnerable to DOM-based XSS, but has not yet given me an example.

I personally think that it is not, since because of the + inside alert, str is a string so it's not executed. For example if someone provides "document.cookie" in the form and hits submit, then the alert box is going to print "Error in document.cookie" (and not the actual cookie).

Answers


The only way this could be a potential threat is if you are including scripts that are not under your control from an untrustworthy source.

  • The malicious script could overwrite alert to be another function. For example, it could send the data passed to alert to its own servers.
  • The malicious script could overwrite the value of document.myform.field with an object containing a value property. The alert could be thus made to display a message that looked like a different error message, such as:

Error in authentication. Please go to www.phisherman.com and enter your user name and password.

If you are linking to scripts from untrustworthy sources, you have much greater security concerns than the above.

If you are linking to no such untrustworthy scripts, then no, this is not vulnerable to DOM-based XSS. form.field.value contains a string. It is not evaluated as script, escape characters have no effect, the string contained in the textbox will be displayed in the alert window. Nothing a user enters in that field could be used to harm your servers or corrupt your data based on the code you've posted.

I'd say that if your auditor is concerned with "DOM-based XSS" where-in a user might cause harm to your servers by manipulating the DOM, your auditor does not know much about DOM and browser-based JavaScript. A user can crack open a JavaScript console and execute all manner of scripts, including XMLHttpRequests to your server that can be made to look like they came from your own script. Precautions need to be made on the server for those types of attacks. Worrying about the security risks to the DOM or UI from user input in form fields is silly.


Need Your Help

Using IF statements to reduce no of Loop iterations

java loops if-statement

variable 'size' is the size of the larger list.

Selecting and deleting a Line Present in a Word Document Using Python / Win32

python ms-word pywin32 win32com

I'm trying to automate Word(2010) documents (all most 40-50 docs) using python and win32 component. Specifically in that, need to select a part of line and replace it all together with some content...

About UNIX Resources Network

Original, collect and organize Developers related documents, information and materials, contains jQuery, Html, CSS, MySQL, .NET, ASP.NET, SQL, objective-c, iPhone, Ruby on Rails, C, SQL Server, Ruby, Arrays, Regex, ASP.NET MVC, WPF, XML, Ajax, DataBase, and so on.