How to protect against DOM based attacks?

How to protect against DOM based attacks?

This article:
https://github.com/aspnet/Docs/blob/master/aspnetcore/security/cross-site-scripting.md

Holds a warning:

[!WARNING] Don't concatenate untrusted input in JavaScript to create DOM elements. You should use createElement() and assign property values appropriately such as node.TextContent=, or use element.SetAttribute()/element[attribute]= otherwise you expose yourself to DOM-based XSS.

My C# / MVC / Razor web app was written some time ago, with little worry for XSS.

What key words shall I search for to assess the exposure to DOM based attacks?


Thanks
newbiewebSr. Software EngineerAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Julian HansenCommented:
This is just a re-hash of the other questions you have asked - in other words the answer is the same.

Firstly, is your application one that takes input from one user that could then potentially be displayed to another user - like a comments section.

If the answer is no then you are not at risk of XSS.

If the answer is yes - then you need to add additional sanitizing to your incoming data to ensure there is no malicious code.
So you remove anything between <script> tags.
If you need to accept code from the user (for whatever reason) then make sure you HTML Encode it so that it is seen as content to be displayed rather than code to be edited.

What that warning is saying is don't create dynamic content by submitting generated HTML based on user input - create the elements using the the JavaScript .createElement or jQuery $('<element>') approach and then manually populate values and attributes - this helps to ensure that a vulnerability can be created by putting together seemingly innocuous bits of user input.

What key words shall I search for to assess the exposure to DOM based attacks?
No keywords - go and look at the code where user input (that will go to other users) is being received and where that data is being sent back to a browser.
Then make sure that there is means for someone to create code that can run in the browser.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
newbiewebSr. Software EngineerAuthor Commented:
thanks
0
Julian HansenCommented:
You are welcome.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
ASP.NET

From novice to tech pro — start learning today.