Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Security Fix for Cross-site Scripting (XSS) - huntr.dev #528

Open
wants to merge 2 commits into
base: master
Choose a base branch
from

Conversation

huntr-helper
Copy link

https://huntr.dev/users/mufeedvh has fixed the Cross-site Scripting (XSS) vulnerability 🔨. mufeedvh has been awarded $25 for fixing the vulnerability through the huntr bug bounty program 💵. Think you could fix a vulnerability like this?

Get involved at https://huntr.dev/

Q | A
Version Affected | ALL
Bug Fix | YES
Original Pull Request | 418sec#2
GitHub Issue | #508
Vulnerability README | https://github.com/418sec/huntr/blob/master/bounties/npm/jquery-confirm/1/README.md

User Comments:

📊 Metadata *

Bounty URL: https://www.huntr.dev/bounties/1-npm-jquery-confirm

⚙️ Description *

The project jquery-confirm adds classes to HTML elements without any validation causing an HTML Injection.

💻 Technical Description *

The code dynamically creates an HTML element for the setIcon and closeIconClass actions and adds classes directly to the elements making it vulnerable to an HTML Injection Vulnerability.

The implementation should not be like this and sanitizing/escaping the input class is also not the way as there is a dedicated function in JQuery to do just what we want == addClass().

This is also suggested by the reporter of this vulnerability: #508 (comment).

🐛 Proof of Concept (PoC) *

<html>
<head>
   <title>jquery-confirm HTML Injection PoC</title>
   <script src="https://ajax.googleapis.com/ajax/libs/jquery/3.5.1/jquery.min.js"></script>
   <script src="js/jquery-confirm.js"></script>
   <script>
      $.confirm().setIcon('"><img src onerror="alert(1337)"><"')
   </script>
</head>
<body>
    ...
</body>
</html>

🔥 Proof of Fix (PoF) *

As suggested by the reporter, I implemented the JQuery dedicated function addClass() to add class to the particular dynamically created element completely preventing any bypasses possible.

👍 User Acceptance Testing (UAT)

Just added a JQuery function on a JQuery project. 😉

@JamieSlome
Copy link

@craftpip - any updates on this?

Cheers! 🍰

@kms0219kms
Copy link

@craftpip

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants