Sunday, February 14, 2016

Keep An Eye On $.html, $.get and $.ajax Functions

The $.html(), $.get() and $.ajax() are potential XSS venues. Some of you're already aware of this but lets see real life examples from the wild.  Finding a real example from the wild is itself not an easy task but fortunately, I live on the web in general and view-source in particular, so I found one. At the same time, instead of cosmetic bypasses i.e., bypasses based on assumptions or without examples or bypass for the sake of bypass, I am only interested in real cases. It is always good to see how developers use jQuery's features in the wild. Some time ago I did a blog post on third-party jQuery based sinks.

$.html(htmlString)

According to jQuery, $.html(htmlString) sets the HTML contents of each element in the set of matched elements. Please open the following URL.


The screen-shot shows the reflection of our interest i.e., in $.html(htmlString) function. The developers're using single quote for holding the HTML contents inside $.html(htmlString) function and it can be seen that ' from the probe string ( i.e., "xxxxxxxx'yyyyy</img) is not controlled.


The XSS in this case should not be a problem. The URL at the time of XSSing is given below and the screen-shot is also there.




$.get()

According to jQuery, $.get() loads the date from the server via HTTP GET method. Open the following URL (q GET parameter holds our harmless XSS probe string i.e., "xxxxxxxx'yyyyy</img).  The screen-shot shows the reflection of probe string in $.get() function.



It can be seen in the screen-shot that developers're using " for holding the value of first parameter of $.get() function i.e., url and " is not filtered or encoded or escaped. The XSS in this case should not be a problem and it is simple and straight forward. The URL at the time of XSSing is given below and the screen-shot is also there.



$.ajax()

It is used to perform asynchronous HTTP request. The screen-shot shows the reflection of XSS probe string inside $.ajax() function. The developers're using ' for the data section of $.ajax() and it can be seen that ' is not controlled. Further </ is also there in its hard-coded form. I would like to refer you to the article for the detailed syntax of $.ajax().



It is an easy and simple task to XSS this case given ' and </ are not controlled in $.ajax() function. The XSS attack payloads like '-confirm(1)-' and </script><script>confirm(1)</script> work here. I already explained in earlier posts how payloads like '-confirm(1)-' or "-confirm(1)-" work. The screen-shot shows an XSS.


Before conclusion, I would like to say that I am still looking at $.post() and $.load() based XSS in the wild ( both are also potential XSS venue ). If I will find one, I will update this post. I conclude on a saying: "Simplicity is natures first step, and the last of art." Philip James Bailey.

4 comments:

  1. "xxxxxxxx'yyyyy</img works only for search terms or it works with all the fields?

    for example if i have a field for description in my website and it is storing the above paramter.do you see a bug there?

    ReplyDelete
    Replies
    1. The probe string works fine for cases where one can see the reflection.

      Delete
  2. Excellent read, I just passed this onto a colleague who was doing a little research on this topic. And he actually bought me lunch because I found it for him. So I should thank you for the free lunch I got.

    Drying Hair (Blow Dry) Course

    ReplyDelete
  3. Looking for professional hacking services, with confidentiality and little to no trace?
    Conact Us for consultation

    electronicshub@consultant.com
    Or Visit Our Website below to get more details on our websites and see blacklisted hackers

    wmark0690.wixsite.com/cryptech

    ReplyDelete

Note: Only a member of this blog may post a comment.