Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add "classic" DOM-based XSS #217

Closed
bkimminich opened this issue Oct 11, 2016 · 8 comments
Closed

Add "classic" DOM-based XSS #217

bkimminich opened this issue Oct 11, 2016 · 8 comments
Labels
challenge help wanted

Comments

@bkimminich
Copy link
Member

bkimminich commented Oct 11, 2016
edited

Current XSS Tier 1 also submits the attacked parameter to the server, so it might be confused with reflected XSS. Having a "classic" client-only DOM-based XSS vulnerability would be nice.

see https://github.com/eoftedal/writings/blob/master/published/owasp_top_10_for_js_-_xss.md

Want to back this issue? Post a bounty on it! We accept bounties via Bountysource.
@bkimminich bkimminich modified the milestone: Challenge Pack 2017 Jan 24, 2017
@nunoloureiro
Copy link

Implement, for instance, client-side sorting.

  • In the URL have something like #sort=x
  • In the page, show sorted by (value read fromt the URL)

@bkimminich
Copy link
Member Author

Possible resource(s) on implementation:

@bkimminich bkimminich assigned bkimminich and unassigned bkimminich Jun 12, 2017
bkimminich added a commit that referenced this issue Dec 19, 2017
@bkimminich
Make GitHub ribbon color customizable via parameter gitHubRibbon
589f0b4 
(possible leverage point for #217)
@bkimminich
Copy link
Member Author

bkimminich commented Dec 19, 2017
edited

Question to the XSS pros out there: Can you exploit by injecting into gitHubRibbon

if ($location.search().gitHubRibbon) {
  $rootScope.gitHubRibbon = $location.search().gitHubRibbon
}

when it's later used as follows in the middle of the src attribute:

<a ng-show="gitHubRibbon" href="/redirect?to=https://github.com/bkimminich/juice-shop"><img style="position: absolute; top: 0; right: 0; border: 0;" src="/public/images/ribbons/forkme_right_{{gitHubRibbon}}.png" alt="Fork me on GitHub"></a>

My naive attack attempt gitHubRibbon="><script>alert(xss)</script><!-- did not work.

ℹ️Please note: I do not want to wrap it into something like $sce.trustAsHtml() to make it artificially easy!

bkimminich added a commit that referenced this issue Dec 30, 2017
@bkimminich
Make GitHub ribbon color customizable via parameter gitHubRibbon
e7c8735 
(possible leverage point for #217)
@CaptainFreak
Copy link
Contributor

CaptainFreak commented Mar 26, 2018
edited

Is it implementable what @nunoloureiro said ? because we already have a anchor for search route i.e. /#/search. It would have been relevant if our routing was like /search#sort=x. and having two anchors is not possible as browsers use (#(.*))? for anchor parsing from URL. I was thinking of implementing DOM Xss in new tracking order functionality.

@bkimminich
Copy link
Member Author

@CaptainFreak The new order tracking would be a perfect fresh place for this, I guess!

@bkimminich bkimminich changed the title Add another flavor of DOM-based XSS Add "classic" DOM-based XSS Apr 5, 2018
@CaptainFreak
Copy link
Contributor

Are we still less of a DOM-based XSS ? @bkimminich :)

@bkimminich bkimminich added wontfix and removed ready labels Apr 6, 2018
@stale stale bot removed the wontfix label Apr 6, 2018
@bkimminich
Copy link
Member Author

Ok, not really ... :-)

@lock
Copy link

lock bot commented Nov 4, 2019

This thread has been automatically locked because it has not had recent activity after it was closed. 🔒 Please open a new issue for regressions or related bugs.

@lock lock bot locked and limited conversation to collaborators Nov 4, 2019
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
challenge help wanted
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@nunoloureiro @bkimminich @CaptainFreak