How to protect against DOM based attacks?

How to protect against DOM based attacks?

This article:
https://github.com/aspnet/Docs/blob/master/aspnetcore/security/cross-site-scripting.md

Holds a warning:

[!WARNING] Don't concatenate untrusted input in JavaScript to create DOM elements. You should use createElement() and assign property values appropriately such as node.TextContent=, or use element.SetAttribute()/element[attribute]= otherwise you expose yourself to DOM-based XSS.

My C# / MVC / Razor web app was written some time ago, with little worry for XSS.

What key words shall I search for to assess the exposure to DOM based attacks?


Thanks
newbiewebSr. Software EngineerAsked:
Who is Participating?
 
Julian HansenCommented:
This is just a re-hash of the other questions you have asked - in other words the answer is the same.

Firstly, is your application one that takes input from one user that could then potentially be displayed to another user - like a comments section.

If the answer is no then you are not at risk of XSS.

If the answer is yes - then you need to add additional sanitizing to your incoming data to ensure there is no malicious code.
So you remove anything between <script> tags.
If you need to accept code from the user (for whatever reason) then make sure you HTML Encode it so that it is seen as content to be displayed rather than code to be edited.

What that warning is saying is don't create dynamic content by submitting generated HTML based on user input - create the elements using the the JavaScript .createElement or jQuery $('<element>') approach and then manually populate values and attributes - this helps to ensure that a vulnerability can be created by putting together seemingly innocuous bits of user input.

What key words shall I search for to assess the exposure to DOM based attacks?
No keywords - go and look at the code where user input (that will go to other users) is being received and where that data is being sent back to a browser.
Then make sure that there is means for someone to create code that can run in the browser.
0
 
newbiewebSr. Software EngineerAuthor Commented:
thanks
0
 
Julian HansenCommented:
You are welcome.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.