3
<div id="cat"></div>
<script>
$("#cat").html(location.pathname);
</script>

I think that example would work, but anyway, if location.pathname has to be a valid page, can this be exploited?

Edit: I'm mainly talking about if the user can't make up their own pathname, (i.e. /test/<script>alert(0)</script>).

Michael Blake
  • 751
  • 1
  • 12
  • 22

1 Answers1

3

Yes, if a path containing script tags is resolved to the page containing this code on your server (for example, via a rewrite rule) then script could be rendered in your page. This will be DOM based XSS as it will be your client-side code that is adding the script tag.

e.g. https://www.example.com/foo/bar/<script>alert('foo')</script>

SilverlightFox
  • 33,408
  • 6
  • 67
  • 178
  • Thank you. Is the only way it could be exploited if it allows the .htaccess rewrite rule? What if the javascript was contained in /example/example.html only? – Michael Blake Aug 18 '14 at 09:56
  • 1
    @MichaelBlake: Depends on the tech stack - anything on the web server, load balancer, etc, that allows a URL containing script tags to resolve to the page could trigger the XSS. – SilverlightFox Aug 18 '14 at 09:59
  • Thank you. That's what I thought. I was just making sure there was no creative way for an attacker to stay on current page, but add their attack, that'd be carried to location.pathname (if that makes sense). – Michael Blake Aug 18 '14 at 10:03
  • 1
    @MichaelBlake: A more secure way is to use `text` rather than `html` rather than rely on this as a security measure. – SilverlightFox Aug 18 '14 at 10:06
  • I'm going to go ahead and allow anyone else to add any input, then I'll mark this as an answer. Thank you. – Michael Blake Aug 18 '14 at 10:08
  • I think @SilverlightFox is right here. Even if there is no rewrite in place at the moment, you don't want to have a site that could suddenly become vulnerable just because someone changes the server conf. That is dangerous. – Anders May 08 '17 at 12:33