Open bliutech opened 1 year ago
What are some tests I can do after a fix to ensure I've resolved the problem? @bliutech
Is it enough to check the document.domain
property?
Yes. If the origins are not the same, then the Same-Origin Policy applies which should address this issue. 👍
Update. CVE-2023-42267 is reserved for this.
Initially disclosed to @mizlan privately. Opening this issue for easier tracking and documentation.
Vulnerability
On https://editor.uclaacm.com, there is an arbitrary Same-Origin Stored XSS for outputs of the editor specifically for both React & HTML. The issue arrises from lack of sandboxing of the output while using
srcdoc
causing the embedded content to be on the same origin as the editor (source code). The impact could be that an adversary is able to share a page with a payload which could exfiltrate private data about a user or lead to arbitrary writes or downloads.POC
React:
HTML:
Fix
The solution to this is to introduce the
sandbox
property to the output iframe. This can be done in the following source code with a behavior ofsandbox="allow-scripts allow-modals"
. This would allow many of the current features to be maintained while allowing resources to be isolated by the Same-Origin Policy.