Can you spot the vulnerability? #16022023 — Intigriti
Given Code Snippet:
Code review:
easy-eval.js
if (window.debug) {
eval(window.debug.toString()); //using eval at DOM element with id "debug"
//only a and area tag can be used in attack as they are capable of using href attribute. toString get only that attribute
}easy-xss.js
const pos = document.URL.indexOf('name=') + 5; //user input
const name = document.URL.substring(pos, document.URL.length)// just paring GET parameteres
const container = document.getElementById('container');
container.innerHTML = decodeURI(name); // no proper sanitizationindex.html
//can't use inline script tag because it has to be src "self"
<meta http-equiv="Content-Security-Policy" content="default-src 'self'; script-src 'self' 'unsafe-eval'">
<div id="container"></div>
<script src="easy-eval.js"></script>
<script src="easy-xss.js"></script>The Vulnerability
User input is passed into the ‘name’ parameter straight to the ‘innerHTML’ so it would be rendered by browser for example inserting ‘<h1>asdf</h1>’ makes ‘asdf’ bold in browser, so ‘HTML’ tag is parsed correctly.
Exploitation
Here, The application’s CSP — Content Security Policy is not enough to stop executing arbitrary JavaScript code.
Using iframe with srcdoc attribute allows to fulfill default-src: self condition of CSP. This is because iframe with srcdoc is assumed src= self. This in addition to no proper sanitization allows to injection of JavaScript code code in the victim browser.
Payload
http://127.0.0.1:8000/?name=<iframe srcdoc="<a id=debug href=pb:alert(document.domain)><script src=easy-eval.js></script>">The srcdoc attribute injects a tag with id=debug which allows to pass if statement in easy-eval.js then href attribute is set to pb:alert(document.domain) the first part pb should be nonexisting protocol. Any protocol that contains // would not work because in javascript // is a comment. So http:// or ftp:// would result in commenting on the payload and never executing it properly.
After that easy-eval.js is called again to reinitialize the script and execute code in it.
XSS
Paweł Wąsik and I worked together to understand and identify the JS code and the vulnerability respectively. This challenge seems to be quite interesting and we were able to gain new knowledge from it.
Thanks Richard for providing an excellent explanation that greatly contributed to our understanding of the subject.
Refer to this thread to gain a better understanding.
Connect with us at -
