search

SAP / project-foxhound

A web browser with dynamic data-flow tracking enabled in the Javascript engine and DOM, based on Mozilla Firefox (https://github.com/mozilla/gecko-dev). It can be used to identify insecure data flows or data privacy leaks in client-side web applications.
GNU General Public License v3.0
80 stars 15 forks source link

btoa string looses the taint #240

Open alexbara2000 opened 3 days ago

alexbara2000 commented 3 days ago

I have noticed that the taint gets lost with btoa strings when using classes. Below is the code to reproduce it. Clientx and Clienty are marked as taint sources.

class SessionStorageManager {
    constructor(storageKey) {
        this.storageKey = storageKey;
        this.storage = window.sessionStorage;
        this.items = [];
    }

    get(key, factory) {
        const newItem = factory(key);
        this.items.push(newItem);
        return newItem;
    }

    set() {
        if (this.storage) {
            const jsonString = JSON.stringify(this.items);
            var encoded2=btoa(jsonString);
            this.storage.setItem(this.storageKey, jsonString);
            this.storage.setItem(this.storageKey, encoded2);
        }
    }
}
const storageManager = new SessionStorageManager('myAppData');
function itemFactory(key) {
    return { key, data: "thing" };
}

document.addEventListener('click', keyHandler2);
function keyHandler2(e) {
    const {clientX, clientY} = e;
    const item1 = storageManager.get('item1', itemFactory);
    item1.data=[clientX, clientY]
    storageManager.set();
}

When you click on the page, both the setItems will report the taint flows. But after the first click, every subsequent click will only report the setItem from the jsonString will report a taint flow, the encoded2 will not report the taint flow. This only happens to strings that have gone through the btoa builtin function (from what I can tell). This also happens only with classes (all different ways of creating classes) from what I can tell.