Professional Documents
Culture Documents
Jquery and XSS Issue PDF
Jquery and XSS Issue PDF
02 OCT 2014
So lets break things down and prevent this bug from coming up
again!
The Attack
A casual reader reported the attack. It seems they could append
some seemingly arbitrary text to a visible URL and cause the page
to trigger an alert. Digging deeper, they also pointed out that a
similar attack could redirect the page to any URL they wanted.
onerror=window.location.replace('http://facebook.com')
would force the browser to automatically redirect to Facebook.
The attack itself, though, goes much deeper and has much more
nefarious implications. Essentially, this vulnerability allows an
attacker to execute any arbitrary JavaScript they want, from the
users own context. An alert or redirect to Facebook is trivial
POSTing the current users cookies to a 3rd-party site, though, is
not.
The Cause
It turns out, a 4-line script on the page was at fault. Some fancy tab
On the surface, this looks just fine. Until, that is, you remember
what jQuery does behind the scenes with selectors. First, jQuery
will attempt to parse the selector as a selector the intended use
case. If the selector fails to validate, jQuery assumes the string
passed in is instead a block of HTML, and subsequently attempts
to parse it.
The Solution
Instead of jQuery, the selector should be parsed using native DOM
methods. document.querySelectorAll() serves the same
purpose here. Unlike jQuery, it throws a syntax exception if you
attempt to pass the broken image tag used in the attack an
exception that is easily caught and discarded.
The original site hosting the vulnerable code has been patched,
and everyone involved learned a helpful lesson 3 about their code:
never trust any form of user input, even if its coming from an
allegedly trustworthy source. Referencing properties on the global
window object feels safe because its not coming directly from the
user; just always keep in mind where the values in those
properties come from.
Notes:
Share this:
Comments
Dave says
October 3, 2014 at 8:42 am
I agree with the general point tho. Its a bad idea to send raw
unfiltered URL or user input into JavaScript APIs, you dont know
where its been. jQuery cant fix the general case because its a
feature to inject HTML via the jQuery API. Its only a bug when
you let untrusted data inject HTML.
Reply
Eric says
October 3, 2014 at 10:08 am
Ill have to dig a bit more into why exactly jQuery was behaving
this way, but I can confirm that v1.11.1 was running on the
affected site.
Reply
Eric says
October 3, 2014 at 10:33 am
I just did a quick spot test. It appears that jQuery 1.9 does not
exhibit this behavior (indicating that the bug was, in fact, fixed).
But jQuery 1.11.1 does. I verified against 3 different sites in
production, and one completely clean testbed.
Reply
Dave says
October 3, 2014 at 10:55 am
If youre using the jquery-migrate plugin it would put back the hole
because otherwise selectors and HTML interpretation work
differently and break many older pages.
Reply
Eric says
October 3, 2014 at 11:18 am
Nice catch. The common element among these sites was the
jquery-migrate plugin. I wonder if its worth fixing the issue in the
plugin, or if we should just focus instead on not needing the plugin
in the first place (I lean towards the latter option).
Reply
Matt Brundage says
December 17, 2014 at 5:52 pm
Dave, I believe that the selector injection issue was fixed in jQuery
1.9, not 1,7, as the following upgrade guide suggests:
http://jquery.com/upgrade-guide/1.9/
Reply
Reply
Reply
Eric says
January 23, 2015 at 9:36 am
Yep. Though of note, the newer version of jQuery are much safer
in terms of not being a sink (they do some sanitization early to
prevent these kinds of errors). But certain features of jQuery
Migrate reintroduce the issue.
Reply
Leave a Reply
"
&