DEV Community: takutoy The latest articles on DEV Community by takutoy (@takutoy). https://dev.to/takutoy https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F994664%2F1c1ae991-c047-42ff-9797-f576b885abad.png DEV Community: takutoy https://dev.to/takutoy en Semgrep Writing Rule Tutorial (DOM-Based XSS) takutoy Sat, 24 Dec 2022 00:24:09 +0000 https://dev.to/takutoy/semgrep-writing-rule-tutorial-dom-based-xss-2jh0 https://dev.to/takutoy/semgrep-writing-rule-tutorial-dom-based-xss-2jh0 <p>Semgrep provides a large number of rules, but sometimes you may want to customize a rule or create a new one.</p> <p>For example, when a vulnerability is found in a product developed by the organization, we want to</p> <ul> <li>check if similar vulnerabilities exist in other products</li> <li>detect similar vulnerabilities in the future </li> </ul> <p>In such cases, rules for finding vulnerabilities will help maintain the security of the product.</p> <p>This article will guide you through the process of creating a rule to detect DOM-Based XSS and help you understand the features and options required to create a rule.</p> <h2> Prerequisite </h2> <p>This tutorial uses semgrep 1.2.1.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>semgrep <span class="nt">--version</span> 1.2.1 </code></pre> </div> <h2> Search for similar rules </h2> <p><a href="https://semgrep.dev/explore">Semgrep Registry</a> provides rules created by r2c, developer of Semgrep, and the community.</p> <p>There may already be a rule that has been created that you are trying to create, or there may be similar rules, so search first.</p> <p>In this tutorial, we want to create a rule to detect DOM-Based XSS, so we will <a href="https://semgrep.dev/r?q=dom+xss&amp;lang=JavaScript">search javascript rule for dom xss</a>.</p> <p>The search found the rule <code>javascript.browser.security.dom-based-xss.dom-based-xss</code>, so we will create a rule based on this.</p> <p>part of <code>javascript.browser.security.dom-based-xss.dom-based-xss</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">pattern-either</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">pattern</span><span class="pi">:</span> <span class="s">document.write(&lt;... document.location.$W ...&gt;)</span> <span class="pi">-</span> <span class="na">pattern</span><span class="pi">:</span> <span class="s">document.write(&lt;... location.$W ...&gt;)</span> </code></pre> </div> <p>This rule seems to only detect <code>document.write()</code>.</p> <h2> Create test cases </h2> <p>Before you start writing rules, you should first create test cases.</p> <ul> <li>test code you want to detect (unsafe)</li> <li>test code you do not want to detect (safe)</li> </ul> <p>The test case is as follows:</p> <p>dom-based-xss.js<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="nx">qs</span> <span class="o">=</span> <span class="nb">window</span><span class="p">.</span><span class="nx">location</span><span class="p">.</span><span class="nx">search</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">hash</span> <span class="o">=</span> <span class="nb">window</span><span class="p">.</span><span class="nx">location</span><span class="p">.</span><span class="nx">hash</span><span class="p">;</span> <span class="c1">// ok</span> <span class="nb">document</span><span class="p">.</span><span class="nx">write</span><span class="p">(</span><span class="dl">"</span><span class="s2">&lt;p&gt;ok&lt;/p&gt;</span><span class="dl">"</span><span class="p">);</span> <span class="c1">// unsafe</span> <span class="nb">document</span><span class="p">.</span><span class="nx">write</span><span class="p">(</span><span class="nx">qs</span><span class="p">);</span> <span class="nb">document</span><span class="p">.</span><span class="nx">write</span><span class="p">(</span><span class="nx">hash</span><span class="p">);</span> </code></pre> </div> <p>Test cases do not need to cover all patterns from the beginning. You can add test cases as you create rules.</p> <p>By the way, it still does not detect correctly when executed with the current rules.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>$ semgrep --config dom-based-xss.yaml dom-based-xss.js Scanning 1 file. Ran 1 rule on 1 file: 0 findings. </code></pre> </div> <h2> Taint tracking </h2> <p>Injection attacks such as XSS are characterized by source and sink. The place where the attack code is placed is called the <strong>source</strong>, and the place where the attack code is executed is called the <strong>sink</strong>.</p> <p>Semgrep has a feature called taint tracking that analyzes whether an untrusted <strong>source</strong> reaches a vulnerable <strong>sink</strong>.</p> <p>Taint tracking may reduce false negatives and false positives.</p> <h3> Taint mode </h3> <p>To use taint tacking, set mode to taint and write <code>pattan-sources</code> and <code>pattern-sinks</code>.</p> <p>dom-based-xss.yaml<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">rules</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">id</span><span class="pi">:</span> <span class="s">dom-based-xss</span> <span class="na">mode</span><span class="pi">:</span> <span class="s">taint</span> <span class="na">message</span><span class="pi">:</span> <span class="s">dom-xss</span> <span class="na">languages</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">javascript</span> <span class="pi">-</span> <span class="s">typescript</span> <span class="na">severity</span><span class="pi">:</span> <span class="s">ERROR</span> <span class="na">pattern-sources</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">pattern</span><span class="pi">:</span> <span class="s">window.location</span> <span class="na">pattern-sinks</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">pattern-either</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">pattern</span><span class="pi">:</span> <span class="s">document.write(...)</span> </code></pre> </div> <p>This rule has the following settings:</p> <ul> <li><code>mode: taint</code></li> <li> <code>pattan-sources</code> to <code>window.location</code>, the source of DOM-XSS.</li> <li> <code>pattan-sinks</code> to <code>document.write(...)</code>, the sink of DOM-XSS</li> </ul> <p>In this rule, The taint tracking analyzes the following</p> <ul> <li> <code>const qs = window.location.search;</code> <ul> <li> <code>window.location</code> is tainted</li> <li> <code>window.location.search</code> is tainted too</li> <li>constant <code>qs</code> is also tainted</li> </ul> </li> <li> <code>document.write(qs);</code> <ul> <li>tainted <code>qs</code> is used in vulnerable sink</li> </ul> </li> </ul> <p>Run this rule on the previous test case and you will see that it is now detectable.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>semgrep <span class="nt">--config</span> dom-based-xss.yaml dom-based-xss.js Scanning 1 file. Findings: dom-based-xss2.js dom-based-xss dom-xss 5┆ document.write<span class="o">(</span>qs<span class="o">)</span><span class="p">;</span> ⋮┆---------------------------------------- 6┆ document.write<span class="o">(</span><span class="nb">hash</span><span class="o">)</span><span class="p">;</span> Ran 1 rule on 1 file: 2 findings </code></pre> </div> <h3> Enhance Source and Sink </h3> <p>DOM-XSS source can be other than <code>window.location</code> and sink can be other than <code>document.write()</code>.</p> <p>For example,<br> <a href="https://portswigger.net/blog/introducing-dom-invader#:~:text=in%20the%20sink.-,List%20of%20sources%20and%20sinks,-Whilst%20developing%20DOM">Introducing DOM Invader: DOM XSS just got a whole lot easier to find : PortSwigger</a> presented 11 sources and 86 sinks.</p> <p>Since the article would be too long if we tried to cover all sources and sinks, 5 sources and sinks are selected.</p> <p>sources<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>- location - location.href - location.hash - location.search - document.URL </code></pre> </div> <p>sinks<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>- document.write() - document.writeln() - jQuery.html() - element.innerHTML - location.href </code></pre> </div> <p>These sources and sinks are written in the rules as follows.</p> <p>dom-based-xss.yaml<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">rules</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">id</span><span class="pi">:</span> <span class="s">dom-based-xss</span> <span class="na">mode</span><span class="pi">:</span> <span class="s">taint</span> <span class="na">message</span><span class="pi">:</span> <span class="s">dom-xss</span> <span class="na">languages</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">javascript</span> <span class="pi">-</span> <span class="s">typescript</span> <span class="na">severity</span><span class="pi">:</span> <span class="s">ERROR</span> <span class="na">pattern-sources</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">pattern-either</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">pattern</span><span class="pi">:</span> <span class="s">location</span> <span class="pi">-</span> <span class="na">pattern</span><span class="pi">:</span> <span class="s">window.location</span> <span class="pi">-</span> <span class="na">pattern</span><span class="pi">:</span> <span class="s">document.location</span> <span class="pi">-</span> <span class="na">pattern</span><span class="pi">:</span> <span class="s">document.URL</span> <span class="na">pattern-sinks</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">pattern-either</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">pattern</span><span class="pi">:</span> <span class="s">document.write($PAYLOAD)</span> <span class="pi">-</span> <span class="na">pattern</span><span class="pi">:</span> <span class="s">document.writeln($PAYLOAD)</span> <span class="pi">-</span> <span class="na">pattern</span><span class="pi">:</span> <span class="s">$JQ.html($PAYLOAD)</span> <span class="pi">-</span> <span class="na">pattern</span><span class="pi">:</span> <span class="s">$ELEMENT.innerHTML = $PAYLOAD</span> <span class="pi">-</span> <span class="na">pattern</span><span class="pi">:</span> <span class="s">location.href = $PAYLOAD</span> </code></pre> </div> <p>Notes.</p> <ul> <li>Once <code>location</code> is set, <code>location.href</code> <code>location.hash</code> <code>location.search</code> is also automatically set to source.</li> <li>The <code>location</code> is added because <code>window.location</code> and <code>document.location</code> are also available.</li> </ul> <p>Add test cases to match the addition of the sources and sinks.</p> <p>dom-based-xss.js<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="nx">qs</span> <span class="o">=</span> <span class="nb">window</span><span class="p">.</span><span class="nx">location</span><span class="p">.</span><span class="nx">search</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">hash</span> <span class="o">=</span> <span class="nb">document</span><span class="p">.</span><span class="nx">location</span><span class="p">.</span><span class="nx">hash</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">query</span> <span class="o">=</span> <span class="nx">location</span><span class="p">.</span><span class="nx">search</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">url</span> <span class="o">=</span> <span class="nb">document</span><span class="p">.</span><span class="nx">URL</span><span class="p">;</span> <span class="c1">// ok</span> <span class="nb">document</span><span class="p">.</span><span class="nx">write</span><span class="p">(</span><span class="dl">"</span><span class="s2">&lt;p&gt;ok&lt;/p&gt;</span><span class="dl">"</span><span class="p">);</span> <span class="c1">// unsafe</span> <span class="nb">document</span><span class="p">.</span><span class="nx">write</span><span class="p">(</span><span class="dl">"</span><span class="s2">unsafe</span><span class="dl">"</span> <span class="o">+</span> <span class="nx">qs</span><span class="p">);</span> <span class="nb">document</span><span class="p">.</span><span class="nx">writeln</span><span class="p">(</span><span class="dl">"</span><span class="s2">unsafe</span><span class="dl">"</span> <span class="o">+</span> <span class="nx">hash</span><span class="p">);</span> <span class="c1">// unsafe</span> <span class="nx">$</span><span class="p">(</span><span class="dl">"</span><span class="s2">div.test</span><span class="dl">"</span><span class="p">).</span><span class="nx">html</span><span class="p">(</span><span class="nx">query</span><span class="p">)</span> <span class="c1">// unsafe</span> <span class="kd">const</span> <span class="nx">e1</span> <span class="o">=</span> <span class="nb">document</span><span class="p">.</span><span class="nx">createElement</span><span class="p">(</span><span class="dl">'</span><span class="s1">p</span><span class="dl">'</span><span class="p">);</span> <span class="nx">e1</span><span class="p">.</span><span class="nx">innerHTML</span> <span class="o">=</span> <span class="nx">url</span><span class="p">;</span> <span class="c1">// unsafe</span> <span class="nx">location</span><span class="p">.</span><span class="nx">href</span> <span class="o">=</span> <span class="nx">qs</span> </code></pre> </div> <p>After adding the test cases, let's run the rule; there are 5 unsafe cases, so 5 should be detected.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>semgrep <span class="nt">--config</span> dom-based-xss.yaml dom-based-xss.js Scanning 1 file. Findings: dom-based-xss.js dom-based-xss dom-xss 10┆ document.write<span class="o">(</span><span class="s2">"unsafe"</span> + qs<span class="o">)</span><span class="p">;</span> ⋮┆---------------------------------------- 11┆ document.writeln<span class="o">(</span><span class="s2">"unsafe"</span> + <span class="nb">hash</span><span class="o">)</span><span class="p">;</span> ⋮┆---------------------------------------- 14┆ <span class="si">$(</span><span class="s2">"div.test"</span><span class="si">)</span>.html<span class="o">(</span>query<span class="o">)</span> ⋮┆---------------------------------------- 18┆ e1.innerHTML <span class="o">=</span> url<span class="p">;</span> ⋮┆---------------------------------------- 21┆ location.href <span class="o">=</span> qs Ran 1 rule on 1 file: 5 findings. </code></pre> </div> <p>Properly detected!</p> <h3> Propagator </h3> <p>In taint tracking, tracking may be interrupted when some functions are used.</p> <p>For example, the following cases will result in DOM-XSS, but will not be detected by Semgrep.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// unsafe</span> <span class="nx">arr</span> <span class="o">=</span> <span class="p">[];</span> <span class="nx">arr</span><span class="p">.</span><span class="nx">push</span><span class="p">(</span><span class="nx">url</span><span class="p">);</span> <span class="nb">document</span><span class="p">.</span><span class="nx">write</span><span class="p">(</span><span class="nx">arr</span><span class="p">.</span><span class="nx">join</span><span class="p">(</span><span class="dl">'</span><span class="s1"> </span><span class="dl">'</span><span class="p">));</span> </code></pre> </div> <p>This is because Semgrep does not know that <code>arr</code> is tainted by <code>push(url)</code>. This is where <code>propagators</code> come in.</p> <p>The <code>propagators</code> are set as follows<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">pattern-propagators</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">pattern</span><span class="pi">:</span> <span class="s">$ARR.push($E)</span> <span class="na">from</span><span class="pi">:</span> <span class="s">$E</span> <span class="na">to</span><span class="pi">:</span> <span class="s">$ARR</span> </code></pre> </div> <p>This will also detect the previous test case. In addition to <code>push</code>, <code>shift</code> and <code>unshift</code> need to be set as propagators well.</p> <h3> Sanitizer </h3> <p>If a variable is properly sanitized, DOM-XSS will not occur.</p> <p>For example, if you sanitize using DOMPurify, DOM-XSS will not occur. But the current rules will detect it.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// ok</span> <span class="kd">const</span> <span class="nx">sanitized</span> <span class="o">=</span> <span class="nx">DOMPurify</span><span class="p">.</span><span class="nx">sanitize</span><span class="p">(</span><span class="nx">qs</span><span class="p">)</span> <span class="nb">document</span><span class="p">.</span><span class="nx">write</span><span class="p">(</span><span class="nx">sanitized</span><span class="p">);</span> </code></pre> </div> <p>So, setting <code>sanitizers</code> will break the tracking assuming the variable is sanitized.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">pattern-sanitizers</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">pattern</span><span class="pi">:</span> <span class="s">DOMPurify.sanitize(...)</span> </code></pre> </div> <p>This will prevent the previous test case from being detected.</p> <h3> Summary of taint tracking </h3> <p>We have now created a rule to detect DOM-Based XSS using taint mode.</p> <p>For taint mode, we used the following settings</p> <ul> <li>mode: taint</li> <li>pattern-sources</li> <li>pattern-sinks</li> <li>pattern-propagators</li> <li>pattern-sanitizers</li> </ul> <p>The completed YAML file and test code are as follows</p> <p>dom-based-xss.yaml<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">rules</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">id</span><span class="pi">:</span> <span class="s">dom-based-xss</span> <span class="na">mode</span><span class="pi">:</span> <span class="s">taint</span> <span class="na">message</span><span class="pi">:</span> <span class="s">dom-xss</span> <span class="na">languages</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">javascript</span> <span class="pi">-</span> <span class="s">typescript</span> <span class="na">severity</span><span class="pi">:</span> <span class="s">ERROR</span> <span class="na">pattern-sources</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">pattern-either</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">pattern</span><span class="pi">:</span> <span class="s">location</span> <span class="pi">-</span> <span class="na">pattern</span><span class="pi">:</span> <span class="s">window.location</span> <span class="pi">-</span> <span class="na">pattern</span><span class="pi">:</span> <span class="s">document.location</span> <span class="pi">-</span> <span class="na">pattern</span><span class="pi">:</span> <span class="s">document.URL</span> <span class="na">pattern-sinks</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">pattern-either</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">pattern</span><span class="pi">:</span> <span class="s">document.write($PAYLOAD)</span> <span class="pi">-</span> <span class="na">pattern</span><span class="pi">:</span> <span class="s">document.writeln($PAYLOAD)</span> <span class="pi">-</span> <span class="na">pattern</span><span class="pi">:</span> <span class="s">$JQ.html($PAYLOAD)</span> <span class="pi">-</span> <span class="na">pattern</span><span class="pi">:</span> <span class="s">$ELEMENT.innerHTML = $PAYLOAD</span> <span class="pi">-</span> <span class="na">pattern</span><span class="pi">:</span> <span class="s">location.href = $PAYLOAD</span> <span class="na">pattern-propagators</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">pattern</span><span class="pi">:</span> <span class="s">$ARR.push($E)</span> <span class="na">from</span><span class="pi">:</span> <span class="s">$E</span> <span class="na">to</span><span class="pi">:</span> <span class="s">$ARR</span> <span class="na">pattern-sanitizers</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">pattern</span><span class="pi">:</span> <span class="s">DOMPurify.sanitize(...)</span> </code></pre> </div> <p>dom-based-xss.js<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="nx">qs</span> <span class="o">=</span> <span class="nb">window</span><span class="p">.</span><span class="nx">location</span><span class="p">.</span><span class="nx">search</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">hash</span> <span class="o">=</span> <span class="nb">document</span><span class="p">.</span><span class="nx">location</span><span class="p">.</span><span class="nx">hash</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">query</span> <span class="o">=</span> <span class="nx">location</span><span class="p">.</span><span class="nx">search</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">url</span> <span class="o">=</span> <span class="nb">document</span><span class="p">.</span><span class="nx">URL</span><span class="p">;</span> <span class="c1">// ok</span> <span class="nb">document</span><span class="p">.</span><span class="nx">write</span><span class="p">(</span><span class="dl">"</span><span class="s2">&lt;p&gt;ok&lt;/p&gt;</span><span class="dl">"</span><span class="p">);</span> <span class="c1">// unsafe</span> <span class="nb">document</span><span class="p">.</span><span class="nx">write</span><span class="p">(</span><span class="dl">"</span><span class="s2">unsafe</span><span class="dl">"</span> <span class="o">+</span> <span class="nx">qs</span><span class="p">);</span> <span class="nb">document</span><span class="p">.</span><span class="nx">writeln</span><span class="p">(</span><span class="dl">"</span><span class="s2">unsafe</span><span class="dl">"</span> <span class="o">+</span> <span class="nx">hash</span><span class="p">);</span> <span class="c1">// unsafe</span> <span class="nx">$</span><span class="p">(</span><span class="dl">"</span><span class="s2">div.test</span><span class="dl">"</span><span class="p">).</span><span class="nx">html</span><span class="p">(</span><span class="nx">query</span><span class="p">);</span> <span class="c1">// unsafe</span> <span class="kd">const</span> <span class="nx">e1</span> <span class="o">=</span> <span class="nb">document</span><span class="p">.</span><span class="nx">createElement</span><span class="p">(</span><span class="dl">'</span><span class="s1">p</span><span class="dl">'</span><span class="p">);</span> <span class="nx">e1</span><span class="p">.</span><span class="nx">innerHTML</span> <span class="o">=</span> <span class="nx">url</span><span class="p">;</span> <span class="c1">// unsafe</span> <span class="nx">location</span><span class="p">.</span><span class="nx">href</span> <span class="o">=</span> <span class="nx">qs</span><span class="p">;</span> <span class="c1">// unsafe</span> <span class="nx">arr</span> <span class="o">=</span> <span class="p">[];</span> <span class="nx">arr</span><span class="p">.</span><span class="nx">push</span><span class="p">(</span><span class="nx">url</span><span class="p">);</span> <span class="nb">document</span><span class="p">.</span><span class="nx">write</span><span class="p">(</span><span class="nx">arr</span><span class="p">.</span><span class="nx">join</span><span class="p">(</span><span class="dl">'</span><span class="s1"> </span><span class="dl">'</span><span class="p">));</span> <span class="c1">// ok</span> <span class="kd">const</span> <span class="nx">sanitized</span> <span class="o">=</span> <span class="nx">DOMPurify</span><span class="p">.</span><span class="nx">sanitize</span><span class="p">(</span><span class="nx">qs</span><span class="p">)</span> <span class="nb">document</span><span class="p">.</span><span class="nx">write</span><span class="p">(</span><span class="nx">sanitized</span><span class="p">);</span> </code></pre> </div> <p>Execution Result<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>semgrep <span class="nt">--config</span> dom-based-xss.yaml dom-based-xss.js Scanning 1 file. Findings: dom-based-xss.js dom-based-xss dom-xss 10┆ document.write<span class="o">(</span><span class="s2">"unsafe"</span> + qs<span class="o">)</span><span class="p">;</span> ⋮┆---------------------------------------- 11┆ document.writeln<span class="o">(</span><span class="s2">"unsafe"</span> + <span class="nb">hash</span><span class="o">)</span><span class="p">;</span> ⋮┆---------------------------------------- 14┆ <span class="si">$(</span><span class="s2">"div.test"</span><span class="si">)</span>.html<span class="o">(</span>query<span class="o">)</span><span class="p">;</span> ⋮┆---------------------------------------- 18┆ e1.innerHTML <span class="o">=</span> url<span class="p">;</span> ⋮┆---------------------------------------- 21┆ location.href <span class="o">=</span> qs<span class="p">;</span> ⋮┆---------------------------------------- 26┆ document.write<span class="o">(</span>arr.join<span class="o">(</span><span class="s1">' '</span><span class="o">))</span><span class="p">;</span> Ran 1 rule on 1 file: 6 findings. </code></pre> </div> <h2> Extract javascript embedded in other languages </h2> <p>By default Semgrep does not scan javascript embedded in HTML.</p> <p>Consider the following test code</p> <p>dom-based-xss.html<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight html"><code><span class="nt">&lt;html&gt;</span> <span class="nt">&lt;body&gt;</span> <span class="nt">&lt;script&gt;</span> <span class="kd">const</span> <span class="nx">qs</span> <span class="o">=</span> <span class="nb">window</span><span class="p">.</span><span class="nx">location</span><span class="p">.</span><span class="nx">search</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">hash</span> <span class="o">=</span> <span class="nb">document</span><span class="p">.</span><span class="nx">location</span><span class="p">.</span><span class="nx">hash</span><span class="p">;</span> <span class="c1">// ok</span> <span class="nb">document</span><span class="p">.</span><span class="nx">write</span><span class="p">(</span><span class="dl">"</span><span class="s2">&lt;p&gt;ok&lt;/p&gt;</span><span class="dl">"</span><span class="p">);</span> <span class="c1">// unsafe</span> <span class="nb">document</span><span class="p">.</span><span class="nx">write</span><span class="p">(</span><span class="dl">"</span><span class="s2">unsafe</span><span class="dl">"</span> <span class="o">+</span> <span class="nx">qs</span><span class="p">);</span> <span class="nb">document</span><span class="p">.</span><span class="nx">writeln</span><span class="p">(</span><span class="dl">"</span><span class="s2">unsafe</span><span class="dl">"</span> <span class="o">+</span> <span class="nx">hash</span><span class="p">);</span> <span class="nt">&lt;/script&gt;</span> <span class="nt">&lt;/body&gt;</span> <span class="nt">&lt;/html&gt;</span> </code></pre> </div> <p>Let's run the rule we just created on this test code.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>semgrep <span class="nt">--config</span> dom-based-xss.yaml dom-based-xss.html Nothing to scan. Ran 1 rule on 0 files: 0 findings. </code></pre> </div> <p>It could not detect it.</p> <p>If you want to detect another language embedded within one such language, you must use the <code>extract</code> mode.</p> <h3> Extract from HTML </h3> <p>The rules for extracting javascript from HTML are as follows</p> <p>extract-html-to-javascript.yaml<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">rules</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">id</span><span class="pi">:</span> <span class="s">extract-html-to-javascript</span> <span class="na">mode</span><span class="pi">:</span> <span class="s">extract</span> <span class="na">languages</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">html</span> <span class="na">pattern</span><span class="pi">:</span> <span class="s">&lt;script&gt;$...SCRIPT&lt;/script&gt;</span> <span class="na">extract</span><span class="pi">:</span> <span class="s">$...SCRIPT</span> <span class="na">dest-language</span><span class="pi">:</span> <span class="s">javascript</span> </code></pre> </div> <p>Extract mode requires the following five settings.</p> <ul> <li>mode: extract</li> <li>languages</li> <li>pattern</li> <li>extract</li> <li>dest-language </li> </ul> <p>This rule allows us to detect javascript in HTML.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>semgrep <span class="nt">--config</span> dom-based-xss.yaml <span class="nt">--config</span> extract-html-to-javascript.yaml dom-based-xss.html Scanning 1 file. Findings: dom-based-xss.html dom-based-xss dom-xss 11┆ document.write<span class="o">(</span><span class="s2">"unsafe"</span> + qs<span class="o">)</span><span class="p">;</span> ⋮┆---------------------------------------- 12┆ document.writeln<span class="o">(</span><span class="s2">"unsafe"</span> + <span class="nb">hash</span><span class="o">)</span><span class="p">;</span> Ran 2 rules on 1 file: 2 findings. </code></pre> </div> <ul> <li>Note, the extract rule must be set "after" the normal rule; if the extract rule is set "before" it cannot be detected. </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>semgrep <span class="nt">--config</span> extract-html-to-javascript.yaml <span class="nt">--config</span> dom-based-xss.yaml dom-based-x ss.html Scanning 1 file. Ran 2 rules on 1 file: 0 findings. </code></pre> </div> <h3> Extract from ERB </h3> <p>In addition, here is a rule to extract from ERBs used in Ruby on Rails.</p> <p>extract-erb-to-javascript.yaml<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">rules</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">id</span><span class="pi">:</span> <span class="s">extract-erb-to-javascript</span> <span class="na">mode</span><span class="pi">:</span> <span class="s">extract</span> <span class="na">languages</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">generic</span> <span class="na">options</span><span class="pi">:</span> <span class="na">generic_ellipsis_max_span</span><span class="pi">:</span> <span class="m">500</span> <span class="na">pattern</span><span class="pi">:</span> <span class="s">...&lt;script&gt;$...SCRIPT&lt;/script&gt;</span> <span class="na">extract</span><span class="pi">:</span> <span class="s">$...SCRIPT</span> <span class="na">dest-language</span><span class="pi">:</span> <span class="s">javascript</span> <span class="na">paths</span><span class="pi">:</span> <span class="na">include</span><span class="pi">:</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">*.erb"</span> </code></pre> </div> <p>There are two points to note</p> <p>Point 1:<br> Use <code>generic</code> because ERB is not a supported langage, and targets files with the extension <code>.erb</code>.</p> <p>Point 2:<br> <code>generic</code> omits the 11th line of extracted text by default. Therefore, if the body of a <code>&lt;script&gt;</code> tag exceeds 10 lines, it will not be extracted correctly. Therefore, the option <code>generic_ellipsis_max_span</code> is set to allow extraction of up to 100 lines. (Please adjust the value since it affects performance.)</p> <h2> Conclusion </h2> <p>Through the process of creating rules to detect DOM-Based XSS in Semgrep, the following features were introduced</p> <ul> <li>taint mode <ul> <li>source</li> <li>sink</li> <li>propagator</li> <li>sanitizer</li> </ul> </li> <li>extract mode <ul> <li>pattern</li> <li>extract</li> <li>dest-language</li> </ul> </li> <li>option <ul> <li>generic_ellipsis_max_span</li> </ul> </li> </ul> <p>Use it as a reference when creating your own rules.</p> <p>The rules and test code created for this tutorial have been placed on GitHub.<br> <a href="https://github.com/takutoy/my-semgrep-rules/tree/master/javascript/browser/security">https://github.com/takutoy/my-semgrep-rules/tree/master/javascript/browser/security</a></p> <p>Trial and Error Records (in Japanese)<br> <a href="https://zenn.dev/takutoy/scraps/6c0f9c20bf1d86">https://zenn.dev/takutoy/scraps/6c0f9c20bf1d86</a></p> security semgrep tutorial sast