xss – DOM-Based cross-site scripting on window.location.pathname

A scan with Burp has identified a DOM-Based cross-site scripting vulnerability.

The only script with a sink is the following.

Do you think it’s a false positive? (Can I make it more secure in some way?)

var sPageURL = window.location.pathname;
var urlParts = sPageURL.split('/');
var page = urlParts(urlParts.length - 1);

var elem = $("a(href!=\#)").filter(function () {
    //console.log(this.href + ' ' + this.href.toLowerCase().indexOf(page.toLowerCase()));
    return ((this.href.toLowerCase().indexOf(page.toLowerCase()) > 0) && (this.href.indexOf('#') < 0));
});

javascript – DOM Based XSS and Adding HTML Elements

So as a rule of thumb I once learned that adding or removing HTML with JavaScript/JQuery (.html(),.append(), etc) leaves yourself wide open for DOM Based XSS Attacks. It is now my understanding that this is not 100% true. Supposedly there is a correct and safe way to add/remove HTML with JavaScript. I am hoping to learn some on what this “correct way” may be.

So as an example lets say I have an input filed that allows a user to append an item to a list. In this case the input would also be added to an array to be sent in future requests. Additionally this list would have a button to remove said item from that list. In an insecure environment we might do something like the following (negating array):

var list = $("#my_list");

$("#add_btn").on("click", function(){
    let input = $("#input_field").val();
    list.append(
        '<li>'+input+' <button>Remove</button></li>'
    );
});


$("#my_list").on("click", "button", function(){
    $(this).closest("li").remove();
});

How might one do the same but without the threat of XSS?

xss – IFrame Vulnerability Classification

I was participating in a bug bounty on a website we will call example.com, when I ran into a very strange edge case which I am not sure I should report. The website uses ads and tracking similar to google analytics from a website we can call tracking.com. When visiting the example website there is an iframe to the tracking website. The source of the iframe can be seen below.

<body>
<script type="text/javascript">
     ((function (e, t)
     {

          var n = function () {
               var e = t.createElement("iframe");
               e.src = "https://tracking.com/container/?utm_source=(INJECT);
               e.style.cssText = "position: absolute";
               t.body.appendChild(e)
          }

          if (t.readyState === "complete")
          {
               n()
          }
          else
          {
               if (typeof e.addEventListener !== "undefined")
               {
                    t.addEventListener("DOMContentLoaded", n, false)
               }
               else
               {
                    e.attachEvent("onload", n, false)
               }
          }
     })(window, document));
</script>
</body>

The example website also has a parameter called utm_source, into which javascript can be injected into the iframe (where I placed (INJECT) in the code above). For example, visiting https://example.com/?utm_source=";</script><script>alert(document.domain)</script> yields the alert embedded page at tracking.com says tracking.com. The issue is that the tracking website is not in scope of the bug bounty and I am not even sure that the issue is caused by the tracking website. It seems like the example website allows the user to inject arbitrary JS into the iframe of the tracking website. Is this a bug worth reporting or am I missing some easy way of escaping the iframe?

So far I have tried injecting </iframe> and things like e.onload=alert(1)to escape the iframe but have not been successful. Since the example and tracking websites are on different domains I cannot access things in the parent website (example) from the tracking website due to the “X-Frame-Options” header set to “SAMEORIGIN”.

As a beginner this bug has me very confused as to how it should be classified and if it is exploitable in any way. Any tips would be greatly appreciated!

Vulnerability – How to put a good XSS payload into a vulnerable site

Please I need help here. I discovered a dodgy Ponzi site with XSS vulnerability issues. The vulnerability is located on the registration page. All user input fields are vulnerable. These consist of – email field, telephone number field and password field.

Please folks, what good XSS payload can I use to exploit this vulnerability and how do I proceed?

Thanks a lot.

Web application – DOM XSS via the JQuery function init ()

Burp reported potential DOM XSS. The data is read from the storage location and sent to the function & # 39; init () & # 39; submitted by JQuery via:

var table = location('table') || location('sysparm_table');
snPresence.init(table, sys_id, query);

URL looks like

https://publicsite.com/scripts/Scoreboard/js_includes_cmdb_scoreboard.jsx

Is it vulnerable? How can I check if Chrome DevTools is vulnerable?

Portswigger also mentions JQuery's init () sink, which leads to DOM XSS
https://portswigger.net/web-security/cross-site-scripting/dom-based

Javascript – Dome-based cross-site scripting (XSS) sources

What are still relevant sources for dom-based cross-site scripting (XSS) in 2020?

Had a list of those:

document.URL, document.documentURI, document.location, location, location.href, location.search, location.hash, document.referer, window.name

But just found out that:

window.location.href

is now correctly coded in modern browsers, so:

Code:


PoC

http: // localhost / #

Will not work.

owasp – Is unexecuted content still considered XSS?

I am working on an OWASP Zap report that has marked multiple URLs in the domain as vulnerable to XSS, but the vulnerability is never reported in a context that the browser can run. For example, the report is displayed

path/contacts.php?search=John%3Balert%281%29

decoded: path / contacts.php? search = John; alert (1)

as a vulnerable URL.

The application reflects this particular content in the response to the user:

var search = "John;alert(1)";

I think this triggers the alert as an XSS attack in the application.

The XSS here is that an attacker could introduce whatever code he wanted in that context and have it play in the user's browser, but that code would never be executed.

When testing the vulnerability manually, the application converts characters in the attempted attack before printing it in the response (using PHP's htmlentities function)

?search=John";alert(1);

is returned as:

var search = "John";alert(1);";

So the question is whether this is still an active XSS vulnerability.

Note: I have found that there is still a way to properly validate the input parameters, but my concern is the security implications.

2013 – How to stop uploading malicious files (XSS files) even for administrator users who have full site collection permissions

Hello in SharePoint, how to stop uploading malicious files (XSS files) even for administrator users who have full permissions for the site collection.
For example, in a custom list or document library, no one can upload malicious files that have permissions to that list or library. These are the recommended approaches to prevent this.

xss – Possible attack methods for a website scraper

I wrote a little utility that retrieves some metadata from the website, specifying a website address. My ultimate goal here is to use this within a website where users can enter a website. Then this utility gets some information: title, URL and description.

I specifically look at certain tags in the HTML code and code the return data. So I think I'm safe from XSS attacks. However, I wonder if there are other methods of attack that I am open to.