Summary
A potential mXSS vulnerability exists in Qwik for versions up to 1.6.0.
Details
Qwik improperly escapes HTML on server-side rendering. It converts strings according to the following rules:
https://github.com/QwikDev/qwik/blob/v1.5.5/packages/qwik/src/core/render/ssr/render-ssr.ts#L1182-L1208
- If the string is an attribute value:
" -> "& -> &- Other characters -> No conversion
- Otherwise:
< -> <> -> >& -> &- Other characters -> No conversion
It sometimes causes the situation that the final DOM tree rendered on browsers is different from what Qwik expects on server-side rendering. This may be leveraged to perform XSS attacks, and a type of the XSS is known as mXSS (mutation XSS).
PoC
A vulnerable component:
import { component$ } from "@builder.io/qwik";
import { useLocation } from "@builder.io/qwik-city";
export default component$(() => {
// user input
const { url } = useLocation();
const href = url.searchParams.get("href") ?? "https://example.com";
return (
<div>
<noscript>
<a href={href}>test</a>
</noscript>
</div>
);
});If a user accesses the following URL,
http://localhost:4173/?href=</noscript><script>alert(123)</script>
then, alert(123) will be executed.
Impact
XSS
Summary
A potential mXSS vulnerability exists in Qwik for versions up to 1.6.0.
Details
Qwik improperly escapes HTML on server-side rendering. It converts strings according to the following rules:
https://github.com/QwikDev/qwik/blob/v1.5.5/packages/qwik/src/core/render/ssr/render-ssr.ts#L1182-L1208
"->"&->&<-><>->>&->&It sometimes causes the situation that the final DOM tree rendered on browsers is different from what Qwik expects on server-side rendering. This may be leveraged to perform XSS attacks, and a type of the XSS is known as mXSS (mutation XSS).
PoC
A vulnerable component:
If a user accesses the following URL,
then,
alert(123)will be executed.Impact
XSS