DOM XSS attack failing in Firefox

Question

I am trying to perform DOM XSS attack to exploit a vulnerability of localhost webpage. I am able to perform the attack successfully on IE-11 and Chrome. But Firefox is preventing me to perform the attack by encoding the script I put in URL. I am performing the attack as explained on official OWASP page. In order to bypass the XSS auditor of chrome I am following the trick explained in this amazing article (even though he explains Reflected XSS in article but it works well for DOM XSS also). So how can I perform DOM XSS attack on latest Firefox?

Note: I am able to perform Reflected XSS with Firefox (example) but I want DOM XSS specifically where the information is not sent to server.

Try to do it without using any of the characters that were escaped. E.g. `alert(1)`. http://security.stackexchange.com/questions/66217/how-can-document-referrer-be-used-for-xss/73745#73745 for jsfiddle demonstration — Pacerier, Jan 26 '16 at 18:03

score 11 · Accepted Answer · edited Jul 21 '16 at 16:12

11

The reason is simple: Firefox (I think from version 27 on-wards) now encodes (URL encoded) everything and you can now only exploit DOM XSS in Firefox if in the code developers will do explicit mistake of decoding.

You may find this recently published article useful: http://www.lanmaster53.com/2014/3/dom-based-xss-revisited/

edited Jul 21 '16 at 16:12

Vilican

2,703
8
21
35

answered Mar 07 '14 at 15:30

user36484

488
3
3

Well I also concluded that same after a lot of tries. Thanks for the response :) – Siddharth Mar 09 '14 at 12:58

score 5 · Answer 2 · answered Mar 07 '14 at 03:46

5

Maybe review https://code.google.com/p/domxsswiki/wiki/Index to help you determine which characters are encoded or not based on the browser vendor.

For example, in the following... scheme://user:pass@host/path/to/page.ext/Pathinfo;semicolon?search.location=value#hash=value&hash2=value2... the characters that are not url encoded in the PathInfo part, search part, and hash part in Firefox are listed below (screenshot of a part of the page linked above):

enter image description here

answered Mar 07 '14 at 03:46

Tate Hansen

13,714
3
40
83

That helped @Tate . Vote Up for that :) But I am still searching how can I exploit the vulnerability in Firefox because '<' and '>' are getting URI encoded in FF (which we can see in above pic also). – Siddharth Mar 07 '14 at 07:45
@Tate, So... in other words it's **not** exploitable? – Pacerier Jan 26 '16 at 16:49

DOM XSS attack failing in Firefox

2 Answers2

Linked