Detection of DOM-based XSS can be challenging. This is cause by the following reasons.
Black-box traditional methods detection of reflected or stored XSS needs to be preformed. However this approach will not work for DOM-based XSS vulnerabilities.
Taint analysis needs to be incorporated into static analysis engine. Taint Analysis attempts to identify variables that have been ‘tainted’ with user controllable input and traces them to possible vulnerable functions also known as a ‘sink’. If the tainted variable gets passed to a sink without first being sanitized it is flagged as vulnerability.
Explanation: An attacker can send a link such as “http://hostname/welcome.html#name=<script>bad code here</script>" to the victim resulting in the victim’s browser executing the injected client-side code.
- var url = document.location.url;
- var loginIdx = url.indexOf(‘login’);
- var loginSuffix = url.substring(loginIdx);
- url = ‘http://mySite/html/sso/’ + loginSuffix;
- document.location.url = url;
If static analysis relies only on black-box component this code will have flagged as vulnerable requiring the code reviewer to do a complete source to sink review.
- http://www.jshint.com/about/ https://github.com/mozilla/doctorjs