How to protect against DOM based attacks?

curiouswebster
curiouswebster used Ask the Experts™
on
How to protect against DOM based attacks?

This article:
https://github.com/aspnet/Docs/blob/master/aspnetcore/security/cross-site-scripting.md

Holds a warning:

[!WARNING] Don't concatenate untrusted input in JavaScript to create DOM elements. You should use createElement() and assign property values appropriately such as node.TextContent=, or use element.SetAttribute()/element[attribute]= otherwise you expose yourself to DOM-based XSS.

My C# / MVC / Razor web app was written some time ago, with little worry for XSS.

What key words shall I search for to assess the exposure to DOM based attacks?


Thanks
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Most Valuable Expert 2017
Distinguished Expert 2018
Commented:
This is just a re-hash of the other questions you have asked - in other words the answer is the same.

Firstly, is your application one that takes input from one user that could then potentially be displayed to another user - like a comments section.

If the answer is no then you are not at risk of XSS.

If the answer is yes - then you need to add additional sanitizing to your incoming data to ensure there is no malicious code.
So you remove anything between <script> tags.
If you need to accept code from the user (for whatever reason) then make sure you HTML Encode it so that it is seen as content to be displayed rather than code to be edited.

What that warning is saying is don't create dynamic content by submitting generated HTML based on user input - create the elements using the the JavaScript .createElement or jQuery $('<element>') approach and then manually populate values and attributes - this helps to ensure that a vulnerability can be created by putting together seemingly innocuous bits of user input.

What key words shall I search for to assess the exposure to DOM based attacks?
No keywords - go and look at the code where user input (that will go to other users) is being received and where that data is being sent back to a browser.
Then make sure that there is means for someone to create code that can run in the browser.
curiouswebsterSoftware Engineer

Author

Commented:
thanks
Most Valuable Expert 2017
Distinguished Expert 2018

Commented:
You are welcome.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial