Security Fix for Cross-site Scripting (XSS) - huntr.dev #586
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
https://huntr.dev/users/Mik317 has fixed the Cross-site Scripting (XSS) vulnerability 🔨. Mik317 has been awarded $25 for fixing the vulnerability through the huntr bug bounty program 💵. Think you could fix a vulnerability like this?
Get involved at https://huntr.dev/
Q | A
Version Affected | ALL
Bug Fix | YES
Original Pull Request | 418sec#1
GitHub Issue URL | #464
Vulnerability README | https://github.com/418sec/huntr/blob/master/bounties/npm/form/1/README.md
User Comments:
📊 Metadata *
Please enter the direct URL for this bounty on huntr.dev. This is compulsory and will help us process your bounty submission quicker.
Bounty URL: https://www.huntr.dev/bounties/1-npm-form
⚙️ Description *
The
form
library suffered of aXSS
issue, which was caused by 2 minor issues inside thecode
, which made possible the usage ofeval
onunsanitized values
(inside the "override" ofparseJSON
) andhtml parsing
on aunsanitized AJAX response
.💻 Technical Description *
The 2 issues have been fixed in the following way:
The
eval
inside theparseJSON
function has been removed, while it's been added aerror
which arises when the default$.parseJSON
function (onjquery
) isn't declared (anyone with good intentions would simply add thejquery
script on the page and all works correctly again).The
unsanitized AJAX response
was previously passed toparseHTML
without any check, making possible inject additionalHTML
. I used a peculiarity ofjquery
to translate theHTML
nodes evaluated intotext nodes
, which are equal toHTML encoded entities
(can be verified seeing this:)
🐛 Proof of Concept (PoC) *
No PoC was provided, so I worked mostly theoretically on the issue/lines identified by the 2 issues in the
original repo
🔥 Proof of Fix (PoF) *
Theoretical fix 😄
👍 User Acceptance Testing (UAT)
Can't be sure of this but seems all OK (nodes are still nodes of different type and a function is null --> arises exception due to a function undefined)