Skip to content

XSS in some browsers #517

New issue
New issue
Open
#518
Open
XSS in some browsers#517
#518
@ooooooo-q

Description

@ooooooo-q
ooooooo-q
opened on Feb 4, 2020

hello,

I found an XSS that occurs with jquery-ujs and jquery-rails.
I have confirmed the operation with Safari and IE (and old version of Edge).

The problematic part is the following handleMethod part.
The value of href is used without escaping. (The method, csrfParam, csrfToken have the same problem, but it is rare for user input to enter this part.)

// https://github.com/rails/jquery-ujs/blob/master/src/rails.js#L215

handleMethod: function(link) {
  var href = rails.href(link),
    method = link.data('method'),
    target = link.attr('target'),
    csrfToken = rails.csrfToken(),
    csrfParam = rails.csrfParam(),
    form = $('<form method="post" action="' + href + '"></form>'),
    metadataInput = '<input name="_method" value="' + method + '" type="hidden" />';

  if (csrfParam !== undefined && csrfToken !== undefined && !rails.isCrossDomain(href)) {
    metadataInput += '<input name="' + csrfParam + '" value="' + csrfToken + '" type="hidden" />';
  }

This value is taken from the DOM .href

//https://github.com/rails/jquery-ujs/blob/master/src/rails.js#L101
href: function(element) {
  return element[0].href;
},

// https://github.com/rails/jquery-ujs/blob/master/src/rails.js#L430
$document.on('click.rails', rails.linkClickSelector, function(e) {
  var link = $(this), method = link.data('method'), data = link.data('params'), metaClick = e.metaKey || e.ctrlKey;

  ...

  } else if (method) {
    rails.handleMethod(link);
    return false;
  }

PoC

The attack code can be included after #" if the user can write a link as follows:

# erb example
<%= link_to 'alert', '"?">#"><img src=. onerror=alert(location)>', data: { method: 'get' } %>

# rendered html
# => <a data-method="get" href="&quot;?&quot;&gt;#&quot;&gt;&lt;img src=. onerror=alert(location)&gt;">alert</a>

Whether the results of element[0].href were percent encoded was browser dependent.
Firefox and Chrome are encoded, Safari and Internet Explorer are XSS happened.

On the other hand, rails-ujs included in Rails 5 is safe because it operates the DOM directly.
https://github.com/rails/rails/blob/master/actionview/app/assets/javascripts/rails-ujs/features/method.coffee#L26

This issue was reported to hackerone but was out of scope.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions