Cross-Site Scripting vulnerability with JavaScript and JQuery

Think you’ve protected your site against Cross-Site scripting attacks by escaping all the content that you’ve rendered? Thought about your javascript?

Here’s a neat bug that got us today. This example is contrived to show a point.

<!DOCTYPE html> 
<html> 
<head> 
  <meta charset="utf-8"> 
  <title>XSS Example</title> 
  <script src="http://ajax.googleapis.com/ajax/libs/jquery/1.6.4/jquery.min.js"></script
  <script> 
    $(function() {  
      $('#users').each(function() {  
        var select = $(this);  
        var option = select.children('option').first();  
        select.after(option.text());  
        select.hide();  
      });  
    });  
  </script> 
</head> 
<body> 
  <form method="post"> 
    <p> 
      <select id="users" name="users"> 
        <option value="bad">&lt;script&gt;alert(&#x27;xss&#x27;);&lt;/script&gt;</option> 
      </select> 
    </p> 
  </form> 
</body> 
</html> 
<!DOCTYPE html>
<html>
<head>
  <meta charset="utf-8">
  <title>XSS Example</title>
  <script src="http://ajax.googleapis.com/ajax/libs/jquery/1.6.4/jquery.min.js"></script>
  <script>
    $(function() {
      $('#users').each(function() {
        var select = $(this);
        var option = select.children('option').first();
        select.after(option.text());
        select.hide();
      });
    });
  </script>
</head>
<body>
  <form method="post">
    <p>
      <select id="users" name="users">
        <option value="bad">&lt;script&gt;alert(&#x27;xss&#x27;);&lt;/script&gt;</option>
      </select>
    </p>
  </form>
</body>
</html>

See the problem? Don’t worry, neither did the pair that worked on the javascript. But our QA showed us a neat little alert box!

It looks like the JQuery text() method returns the unescaped payload of the option, and the after() method then creates a nice little script tag. Nasty stuff.

How did we deal with the problem? This was our immediate fix:

// after() accepts a DOM element so lets create a text node  
select.after(document.createTextNode(option.text())); 

Longer term fix – still open to suggestions.

[출처] watchitlater.com


[주의] 본 자료는 연구용 및 학습 자료로 사용하길 바라며, 악의적인 사용시 사용자 본인에게 책임이 있음을 명시합니다.

'위험한_친구들 > 십자군_XSS' 카테고리의 다른 글

XSS: Cross-site Scripting  (0) 2011.10.11
XSS in hidden field  (0) 2011.10.11
CRLF Injection  (0) 2011.09.28
Clickjacking for Shells  (0) 2011.09.22
XSS in Skype for iOS  (0) 2011.09.21
Posted by bitfox
l