Stored XSS #17
Comments
That's too vague for me. Do you have any examples that can cause real damage in a modern browser? |
It can definitely misguide you, it can even be used as a phishing webpage, you can alter the DOM with document.write as you want, for example this redirects you to somewhere else, this alters the DOM by using the document.write function, all of these can be used to trick the users into something worse for example providing github authorization details, providing credit card details, downloading malicious binaries, etc. since it is hosted on the secure play.crystal-lang.org webpage people trust that little pad-lock in the top left corner and fall for the attack. If all of that doesn't concern you then it is still a stored XSS vulnerability which must be fixed since it impales the social status of the online compiler. |
So far I haven't seen a proper XSS filter for Crystal, I would recommend you moving the web server into a local service which would be accessed by something like an express-js instance which will have the proper XSS checks presented in the code. |
|
It was a pure frontend code issue :)
Regardless, we got HTML.escape. You can follow the discussions in crystal-lang/crystal#5012, crystal-lang/crystal#4555, crystal-lang/crystal#3233 and crystal-lang/crystal#2175 for the rationales that had let us arrived there. |
I wonder if you deployed it, since there still is the very same issue. |
|
You'll need to hard refresh unfortunately, caching and all. |
The source code renders directly to the DOM without filtering, which leads to a possible XSS attack vector via forged documents.
POC - Corrupted image which fails to load directly executes some stored JavaScript code.
Even if the online compiler doesn't contain user information one could still use the available attack vector for something malicious.
For testing purposes this list can be used, 90% of it will work since the DOM is rendered directly.
Cheers.
The text was updated successfully, but these errors were encountered: