LokeshReddySura / dominator

Automatically exported from code.google.com/p/dominator
Other
0 stars 0 forks source link

dominator doesn't pick up on domxss that "do not work in firefox TM" #6

Open GoogleCodeExporter opened 9 years ago

GoogleCodeExporter commented 9 years ago
So I was playing with dominator with some software seeing if it would catch 
onto anything. Well it didn't but I did (in chrome). 
The code flow to the domxss was something like this --->

var something = location.href.split("#")[1] || "" ;
^ now if location.href is like this -->

$uri#l\\alert(1);alert(2);//<input>
then in firefox(6) the value of something is 
"l\\alert(1);alert(2);//%3Cinput%3E"
but in chrome(14) it is 
"l\\alert(1);alert(2);//<input>"

the variable something was then given to a few functions ....
before finally ending up used in a jquery selection like this
("#" + something + "[foo=" + something +"]").

So in chrome with a hash of <video src="WATVIDEO??" onerror=alert(1)> ends 
tripping the domxss (to show an alert dialogue with the number one in it)
but in firefox - nothing happens and so, dominator failed to detect the domxss 
:/

Original issue reported on code.google.com by db.pub.m...@gmail.com on 16 Sep 2011 at 4:36

GoogleCodeExporter commented 9 years ago
The line:
("#" + something + "[foo=" + something +"]").
Should have been:
$("#" + something + "[foo=" + something +"]").

Original comment by db.pub.m...@gmail.com on 16 Sep 2011 at 4:39

GoogleCodeExporter commented 9 years ago
Thanks for reporting this.

About the "'<>.etc.. escaping in DOMinator you're right.
I'll add the unescaped location feature in the next release.

About the possibility of adding html5 tags, of course depends on the browser 
implementing it.
As you know, the detection of a DOM Xss (row in alert tab) is different from 
executing the Xss in the browser itself.

Thanks

Original comment by stefano....@gtempaccount.com on 19 Sep 2011 at 5:47