You are viewing a plain text version of this content. The canonical link for it is here.

Posted to hdfs-dev@hadoop.apache.org by "Aayush (Jira)" <ji...@apache.org> on 2019/09/11 12:36:00 UTC

[jira] [Created] (HDDS-2111) DOM XSS

Aayush created HDDS-2111:
----------------------------

             Summary: DOM XSS
                 Key: HDDS-2111
                 URL: https://issues.apache.org/jira/browse/HDDS-2111
             Project: Hadoop Distributed Data Store
          Issue Type: Bug
            Reporter: Aayush


VULNERABILITY DETAILS
There is a way to bypass anti-XSS filter for DOM XSS exploiting a "window.location.href".

Considering a typical URL:

scheme://domain:port/path?query_string#fragment_id

Browsers encode correctly both "path" and "query_string", but not the "fragment_id". 

So if used "fragment_id" the vector is also not logged on Web Server.

VERSION
Chrome Version: 10.0.648.134 (Official Build 77917) beta

REPRODUCTION CASE
This is an index.html page:


{code:java}
<pre>aws s3api --endpoint <script>document.write(window.location.href.replace("static/", ""))</script> create-bucket --bucket=wordcount</pre>
{code}


The attack vector is:
index.html?#<script>alert('XSS');</script>

* PoC:
For your convenience, a minimalist PoC is located on:
http://security.onofri.org/xss_location.html?#<script>alert('XSS');</script>

* References
- DOM Based Cross-Site Scripting or XSS of the Third Kind - http://www.webappsec.org/projects/articles/071105.shtml


reference:- 

https://bugs.chromium.org/p/chromium/issues/detail?id=76796



--
This message was sent by Atlassian Jira
(v8.3.2#803003)

---------------------------------------------------------------------
To unsubscribe, e-mail: hdfs-dev-unsubscribe@hadoop.apache.org
For additional commands, e-mail: hdfs-dev-help@hadoop.apache.org