8

I was looking at this website and trying to understand how this XSS is possible, but I just can't figure it out. Here's the URL: http://www.domxss.com/domxss/01_Basics/05_jquery_html.html?681973661

<script src="../js/jquery-1.9.1.js"></script>
<script>
function setMessage(){
    var t=location.hash.slice(1);
    $("div[id="+t+"]").html("Message from the name "+window.name);
}
$(document).ready(setMessage);
</script>
<span>
    <a href="#message" > Show Here</a>
    <div id="message">Showing Message1</div>
</span>
<span>
    <a href="#message1" > Show Here</a>
    <div id="message1">Showing Message2</div>
Rob W
  • 2,113
  • 18
  • 20
Michael Blake
  • 751
  • 1
  • 12
  • 22

2 Answers2

12

This page is taking input from an untrusted source, and directly outputs it in the browser as HTML.

In this case, the untrusted source is window.name. To the inexperienced programmer, this may seem harmless, but in reality, it can be set to any arbitrary value, because it's derived from the name of the frame:

<iframe
    src="http://www.domxss.com/domxss/01_Basics/05_jquery_html.html?681973661#message"
    name="<script>alert(0)</script>"
></iframe>

In the code you've given, there's another glaring hole: The selector is also taken from an untrusted source (the URL), which allows attackers to output the HTML in whatever place they desire. This doesn't need to be a frame, just visit the following URL:

http://www.domxss.com/domxss/01_Basics/05_jquery_html.html?681973661#whatever],body,[whatever

t is set to "whatever],body,[whatever" (from location.hash), and is used to construct a jQuery selector ("div[id="+t+"]"). Together, it results in a selector that selects (e.g.) the <body> element:

"div[id=whatever],body,[whatever]"

Though not as harmful as window.name, it might be worth fixing.

Rob W
  • 2,113
  • 18
  • 20
  • 1
    Also, is this possible without using an iFrame? – Michael Blake Dec 26 '13 at 20:42
  • 1
    @MichaelBlake `window.name` can also be set via the second argument of `window.open`. Since frames can be hidden, it's unlikely that `window.open(url, name)` will be used for such an attack. Furthermore, Chrome seems to clear `window.name` with `window.open`. – Rob W Dec 26 '13 at 22:58
1

In addition to attack vectors described in the first answer, and attacker could set

window.name="<script>alert(1)</script>";

On their malicious webpage and redirect the victim to your webpage. Because window.name persists across page load, this would also be an xss attack vector.

winhowes
  • 349
  • 1
  • 13