Closed qll closed 9 years ago
SteveMcGrath
commented
10 years ago Honestly that would require authentication to post to the API in order to get that in. I'm no JS expert, so if there is a way to sanitize the data on the JS side, im all ears.
qll
commented
10 years ago It's not posting to the API. It uses unencrypted HTTP to POST credentials to some remote point, so the DoFler would show it as "stolen credentials" on the page, wouldn't it? It worked on the hack.lu conference ;-)
The best way to sanitize this would be using DOM methods like document.createElement and especially document.createTextNode, but this does not look as beautiful as JQuery. In JQuery the .text() property could help, but if you are not keen to change the code a lot, a basic encoding function mapping HTML brackets to their encoded entities would be okay, too.
If an attacker manages to squeeze an attack vector into an URL (28 chars), username (15 chars) or both, the display.js code will reflect it into the HTML without sanitization.
Here is the first vulnerable line: https://github.com/SteveMcGrath/DoFler/blob/master/static/display.js#L45
Possible attack vector (needs Python's request library):
Any valid DNS name will do. We just chose ai. for its shortness.