Reflected DOM Injection
Reflected DOM Injection (RDI) is an evasive XSS technique which uses a third party website to construct and execute an attack. This technique can be implemented on websites that use a user-provided URL as part of their service (e.g. translation services, caching services, etc.)
In order to implement this technique:
- Take a piece of code that you would like to hide using RDI (“Code X”)
- Find a service that receives user input as described above (“Service Y”)
- Choose a feature that is unique to this service (e.g. a DOM element added by this service) and use it to create a pseudo-unique “key”.
- Encrypt Code X using the key and host it on your website, add code that will attempt to re-create the key and decrypt the content in runtime.
- Browse to your website using Service Y. The decryption code will execute and re-generate the key, decrypt your hidden code, and execute it.
By using this technique the exploit is triggered only if the user followed the expected flow and accessed our website using the third party service. The same code, however, would not execute by browsing directly to the attacker’s website.
Figure 1 describes a direct access to a website that uses the RDI technique to exploit the user’s browser. By accessing the website directly, the exploit remained encrypted and the content sent to the client machine remains benign.
Figure 2 describes the attack scenario - where the user accesses the website which uses the RDI technique using the third party Service Y. The service creates a new connection to the attacker’s website, receives the content, manipulates it in order to provide the service, and delivers the new modified content to the user. This manipulation done by Service Y turns the attacker’s page into a malicious one by helping generate the key required to decrypt the malicious code. The RDI technique actually uses the third party service to create the malicious content.
The RDI technique provides the following benefits:
- The URL to the exploit is hosted on known and legit service.
- The content hosted on the attacker’s website is essentially legit when accessed directly.
- The malicious content can only be revealed by following the full flow of the attack.
The RDI technique was first presented at DEFCON 21 by Daniel Chechik and Anat Davidi. A full scenario of the technique is described in a paper published following the conference on the Trustwave SpiderLabs blog.