Cross-Site Scripting vulnerability with JavaScript and JQuery

Think you’ve protected your site against Cross-Site scripting attacks by escaping all the content that you’ve rendered? Thought about your javascript?

Here’s a neat bug that got us today. This example is contrived to show a point.

<!DOCTYPE html> 
<html> 
<head> 
  <meta charset="utf-8"> 
  <title>XSS Example</title> 
  <script src="http://ajax.googleapis.com/ajax/libs/jquery/1.6.4/jquery.min.js"></script
  <script> 
    $(function() {  
      $('#users').each(function() {  
        var select = $(this);  
        var option = select.children('option').first();  
        select.after(option.text());  
        select.hide();  
      });  
    });  
  </script> 
</head> 
<body> 
  <form method="post"> 
    <p> 
      <select id="users" name="users"> 
        <option value="bad">&lt;script&gt;alert(&#x27;xss&#x27;);&lt;/script&gt;</option> 
      </select> 
    </p> 
  </form> 
</body> 
</html> 
<!DOCTYPE html>
<html>
<head>
  <meta charset="utf-8">
  <title>XSS Example</title>
  <script src="http://ajax.googleapis.com/ajax/libs/jquery/1.6.4/jquery.min.js"></script>
  <script>
    $(function() {
      $('#users').each(function() {
        var select = $(this);
        var option = select.children('option').first();
        select.after(option.text());
        select.hide();
      });
    });
  </script>
</head>
<body>
  <form method="post">
    <p>
      <select id="users" name="users">
        <option value="bad">&lt;script&gt;alert(&#x27;xss&#x27;);&lt;/script&gt;</option>
      </select>
    </p>
  </form>
</body>
</html>

See the problem? Don’t worry, neither did the pair that worked on the javascript. But our QA showed us a neat little alert box!

It looks like the JQuery text() method returns the unescaped payload of the option, and the after() method then creates a nice little script tag. Nasty stuff.

How did we deal with the problem? This was our immediate fix:

// after() accepts a DOM element so lets create a text node  
select.after(document.createTextNode(option.text())); 

Longer term fix – still open to suggestions.

[출처] watchitlater.com


[주의] 본 자료는 연구용 및 학습 자료로 사용하길 바라며, 악의적인 사용시 사용자 본인에게 책임이 있음을 명시합니다.

'위험한_친구들 > 십자군_XSS' 카테고리의 다른 글

Cross-Site Scripting vulnerability with JavaScript and JQuery  (0) 2011.10.18
XSS: Cross-site Scripting  (0) 2011.10.11
XSS in hidden field  (0) 2011.10.11
CRLF Injection  (0) 2011.09.28
Clickjacking for Shells  (0) 2011.09.22
XSS in Skype for iOS  (0) 2011.09.21
Posted by 작은여우 bitfox


티스토리 툴바