7

The site Mustache-Security describes XSS vulnerabilities in KnockoutJS... The vulnerabilities come from the use of eval (or some equivalent) to convert text in the data-bind attribute to executable script. Most of the examples show attacks where malicious script could be executed if it is injected into a data-bind attribute.

Example (HTML/JavaScript/KnockoutJS):

<script src="http://knockoutjs.com/downloads/knockout-3.0.0.debug.js"></script>
<div data-bind="click: alert(1)"></div>
<div data-bind="value: alert(2)"></div>
<div data-bind="style: alert(3)"></div>
...
<select data-bind="options: alert(99)"></select>
<script> 
ko.applyBindings();
</script>

While I can reproduce the examples as they are defined, I normally avoid putting JavaScript in data-bind attributes when using KnockoutJS. I prefer to reference an observable property on a JavaScript object to separate the view's behavior from its layout. Using this approach, I find that the JavaScript is not executable.

Example (HTML/JavaScript/KnockoutJS):

<script src="http://knockoutjs.com/downloads/knockout-3.0.0.debug.js"></script>
<div data-bind="value: firstName"></div>
<script> 
var ViewModel = function() {
    this.firstName = ko.observable('alert(2)');
}

var vm = new ViewModel();
ko.applyBindings(vm); 
</script>

Is my application at risk of XSS solely because I have used KnockoutJS, or do I also have to find a way to put untrusted input into a data-bind attribute, using server side code?

Example (ASP.NET/HTML/JavaScript/KnockoutJS):

<div data-bind="value: <%=Request.QueryString("id")%>"></div>

I would think that if an attacker could inject their script in the page using JavaScript, then they can just as easily manipulate the DOM directly and KnockoutJS doesn't increase my risk of XSS.

Is there something else I'm missing? What else must I do to prevent the XSS vulnerabilities that the author describes?

scott stone
  • 173
  • 1
  • 4
  • 1
    Seems like you have a good understanding of the risks. Without rewriting applyBindings, just don't allow dynamic input into the data-bind attribute. Basically the same vulnerability as any user input, don't trust it. And if they're injecting content into your attributes, you're already compromised, they could rewrite any clientside security measure you put in place at that point. – Andrew Hoffman Jun 17 '14 at 20:10

1 Answers1

3

The attack described in mustache-security describes a bypass of a Web Application Firewall (WAF) that try to prevent XSS by dropping HTTP requests that contain <script> tags. If a page is using KnockoutJS, then an attacker can use a <div> instead of a <script> tag to obtain code execution:

http://localhost/xss?id=<div data-bind="html: '&#x5c;x3cimg&#x5c;x20src=x&#x5c;x20onerror=alert&#x5c;x281&#x5c;x29&#x5c;x3e'"></div>

In order for the attack above to work, the attacker must be able to inject HTML tags using angle brackets <>.

rook
  • 46,916
  • 10
  • 92
  • 181
  • That is a good point about the Web Application Firewall bypass, Rook. Personally, I think that the app writing the untrusted query string parameter "id" to the DOM in a way that makes it executable by the browser is a problem in and of itself (not to mention the use of the html binding), but I can see how KO might let an attacker be more creative in their attacks. Thanks for your reply. – scott stone Sep 16 '14 at 14:48