Mixing
Is this code vulnerable to Reflected XSS?
Clash Royale CLAN TAG#URR8PPP
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty margin-bottom:0;
up vote
4
down vote
favorite
I'm doing a pentest and came by this code:
(function()
var subdomain = (function()
var query = /[?&]css=([^&#]*)/i.exec(window.location.search);
if(query)
return query[1];
var URL = window.location.host.split('.');
if (URL.length > 1)
return URL[0];
)();
if (subdomain)
var link = document.createElement('link');
link.rel = "stylesheet";
link.href = "/" + subdomain + ".css";
document.getElementsByTagName('head')[0].appendChild(link);
)();
It adds a CSS file to the header for rebranding.
The target URL looks like this:http://some.company.com/p1=test&css=custom
We have controlled the subdomain parameter here which equals to either query or URL[0].query is the result of /[?&]css=([^&#]*)/i.exec(window.location.search); which equals to custom in this case.
if the query is not available in URL, then URL[0] equals to some here, I can't think of doing anything useful using URL[0] because, in order to control its value, I have to change some to something else which completely changes the URL and points to some other irrelevant page.
Anyway, The final CSS URL would be "/custom.css" or "/some.css" if the CSS parameter is not available.
I tried some payloads to exploit this but all failed.
Any ideas if this code is vulnerable and how can it be exploited?
xss reflected-xss
edited yesterday
R1-
8501724
asked 2 days ago
Sam
329111
add a comment |Â
up vote
4
down vote
favorite
I'm doing a pentest and came by this code:
(function()
var subdomain = (function()
var query = /[?&]css=([^&#]*)/i.exec(window.location.search);
if(query)
return query[1];
var URL = window.location.host.split('.');
if (URL.length > 1)
return URL[0];
)();
if (subdomain)
var link = document.createElement('link');
link.rel = "stylesheet";
link.href = "/" + subdomain + ".css";
document.getElementsByTagName('head')[0].appendChild(link);
)();
It adds a CSS file to the header for rebranding.
The target URL looks like this:http://some.company.com/p1=test&css=custom
We have controlled the subdomain parameter here which equals to either query or URL[0].query is the result of /[?&]css=([^&#]*)/i.exec(window.location.search); which equals to custom in this case.
if the query is not available in URL, then URL[0] equals to some here, I can't think of doing anything useful using URL[0] because, in order to control its value, I have to change some to something else which completely changes the URL and points to some other irrelevant page.
Anyway, The final CSS URL would be "/custom.css" or "/some.css" if the CSS parameter is not available.
I tried some payloads to exploit this but all failed.
Any ideas if this code is vulnerable and how can it be exploited?
xss reflected-xss
edited yesterday
R1-
8501724
asked 2 days ago
Sam
329111
1
//domain.tld/bad.cssis a potentially valid url. no xss, but a css injection potential.
– dandavis
2 days ago
add a comment |Â
up vote
4
down vote
favorite
up vote
4
down vote
favorite
I'm doing a pentest and came by this code:
(function()
var subdomain = (function()
var query = /[?&]css=([^&#]*)/i.exec(window.location.search);
if(query)
return query[1];
var URL = window.location.host.split('.');
if (URL.length > 1)
return URL[0];
)();
if (subdomain)
var link = document.createElement('link');
link.rel = "stylesheet";
link.href = "/" + subdomain + ".css";
document.getElementsByTagName('head')[0].appendChild(link);
)();
It adds a CSS file to the header for rebranding.
The target URL looks like this:http://some.company.com/p1=test&css=custom
We have controlled the subdomain parameter here which equals to either query or URL[0].query is the result of /[?&]css=([^&#]*)/i.exec(window.location.search); which equals to custom in this case.
if the query is not available in URL, then URL[0] equals to some here, I can't think of doing anything useful using URL[0] because, in order to control its value, I have to change some to something else which completely changes the URL and points to some other irrelevant page.
Anyway, The final CSS URL would be "/custom.css" or "/some.css" if the CSS parameter is not available.
I tried some payloads to exploit this but all failed.
Any ideas if this code is vulnerable and how can it be exploited?
xss reflected-xss
edited yesterday
R1-
8501724
asked 2 days ago
Sam
329111
I'm doing a pentest and came by this code:
(function()
var subdomain = (function()
var query = /[?&]css=([^&#]*)/i.exec(window.location.search);
if(query)
return query[1];
var URL = window.location.host.split('.');
if (URL.length > 1)
return URL[0];
)();
if (subdomain)
var link = document.createElement('link');
link.rel = "stylesheet";
link.href = "/" + subdomain + ".css";
document.getElementsByTagName('head')[0].appendChild(link);
)();
It adds a CSS file to the header for rebranding.
The target URL looks like this:http://some.company.com/p1=test&css=custom
We have controlled the subdomain parameter here which equals to either query or URL[0].query is the result of /[?&]css=([^&#]*)/i.exec(window.location.search); which equals to custom in this case.
if the query is not available in URL, then URL[0] equals to some here, I can't think of doing anything useful using URL[0] because, in order to control its value, I have to change some to something else which completely changes the URL and points to some other irrelevant page.
Anyway, The final CSS URL would be "/custom.css" or "/some.css" if the CSS parameter is not available.
I tried some payloads to exploit this but all failed.
Any ideas if this code is vulnerable and how can it be exploited?
xss reflected-xss
xss reflected-xss
edited yesterday
R1-
8501724
asked 2 days ago
Sam
329111
edited yesterday
R1-
8501724
asked 2 days ago
Sam
329111
edited yesterday
R1-
8501724
edited yesterday
R1-
8501724
edited yesterday
R1-
8501724
8501724
asked 2 days ago
Sam
329111
asked 2 days ago
Sam
329111
asked 2 days ago
Sam
329111
329111
1
//domain.tld/bad.cssis a potentially valid url. no xss, but a css injection potential.
– dandavis
2 days ago
add a comment |Â
1
//domain.tld/bad.cssis a potentially valid url. no xss, but a css injection potential.
– dandavis
2 days ago
1
1
//domain.tld/bad.css is a potentially valid url. no xss, but a css injection potential.– dandavis
2 days ago
//domain.tld/bad.css is a potentially valid url. no xss, but a css injection potential.– dandavis
2 days ago
add a comment |Â
3 Answers
3
active
oldest
votes
up vote
10
down vote
accepted
Yes, this code is vulnerable, but not to XSS. The subdomain variable's value can indeed be controlled by an attacker, but that variable is only used to set the href parameter of a CSS stylesheet; which won't accept JavaScript code. However, controlling this value does still allow CSS injection.
The stylesheet's href is prefixed by /, but an attacker can still point it to an arbitrary page by adding another slash to form a protocol-relative URL pointing to the attacker's server. (E.g. //evilsite.com/payload.css.) This would allow the attacker to get complete control over the site's appearance, if not it's functionality, which could be used to trick users into taking actions they wouldn't otherwise take. (For example, add a banner telling users they need to reset their password, then style the user settings page to make their public profile description field look like the input box for "current password".)
answered 2 days ago
Ajedi32
2,61611347
CSS might contain executable code - not for all browsers, but still.
– Bergi
2 days ago
add a comment |Â
up vote
5
down vote
Any ideas if this code is vulnerable and how can it be exploited?
As mentioned in the comments, this code could be vulnerable to CSS injection.
For example, if the URL looks like:
http://some.company.com/p1=test&css=/evil.com/more_evil
Then this javascript will create a new link in the header like:
link rel="stylesheet" href="//evil.com/more_evil.css"
Which is a valid URL (even without the scheme http/https), which can access the remote CSS file.
answered 2 days ago
hft
1,001617
You could avoid this specific issue by changing the regex to: /[?&]css=([a-zA-z]*)/
– hft
2 days ago
add a comment |Â
up vote
1
down vote
It is vulnerable but you can solve that easily with whitelisting:
var allowedBrands = ['brand1', 'brand2', 'brand3'],
query = /[?&]css=([A-Za-z0-9]*)/i.exec(window.location.search);
if (query && allowedBrands.indexOf(query[1]))
return query[1];
else
return allowedBrands[0]; // this is the default value
answered yesterday
MatÃas Pizarro
111
New contributor
MatÃas Pizarro is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |Â
3 Answers
3
active
oldest
votes
3 Answers
3
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
10
down vote
accepted
Yes, this code is vulnerable, but not to XSS. The subdomain variable's value can indeed be controlled by an attacker, but that variable is only used to set the href parameter of a CSS stylesheet; which won't accept JavaScript code. However, controlling this value does still allow CSS injection.
The stylesheet's href is prefixed by /, but an attacker can still point it to an arbitrary page by adding another slash to form a protocol-relative URL pointing to the attacker's server. (E.g. //evilsite.com/payload.css.) This would allow the attacker to get complete control over the site's appearance, if not it's functionality, which could be used to trick users into taking actions they wouldn't otherwise take. (For example, add a banner telling users they need to reset their password, then style the user settings page to make their public profile description field look like the input box for "current password".)
answered 2 days ago
Ajedi32
2,61611347
CSS might contain executable code - not for all browsers, but still.
– Bergi
2 days ago
add a comment |Â
up vote
10
down vote
accepted
Yes, this code is vulnerable, but not to XSS. The subdomain variable's value can indeed be controlled by an attacker, but that variable is only used to set the href parameter of a CSS stylesheet; which won't accept JavaScript code. However, controlling this value does still allow CSS injection.
The stylesheet's href is prefixed by /, but an attacker can still point it to an arbitrary page by adding another slash to form a protocol-relative URL pointing to the attacker's server. (E.g. //evilsite.com/payload.css.) This would allow the attacker to get complete control over the site's appearance, if not it's functionality, which could be used to trick users into taking actions they wouldn't otherwise take. (For example, add a banner telling users they need to reset their password, then style the user settings page to make their public profile description field look like the input box for "current password".)
answered 2 days ago
Ajedi32
2,61611347
CSS might contain executable code - not for all browsers, but still.
– Bergi
2 days ago
add a comment |Â
up vote
10
down vote
accepted
up vote
10
down vote
accepted
Yes, this code is vulnerable, but not to XSS. The subdomain variable's value can indeed be controlled by an attacker, but that variable is only used to set the href parameter of a CSS stylesheet; which won't accept JavaScript code. However, controlling this value does still allow CSS injection.
The stylesheet's href is prefixed by /, but an attacker can still point it to an arbitrary page by adding another slash to form a protocol-relative URL pointing to the attacker's server. (E.g. //evilsite.com/payload.css.) This would allow the attacker to get complete control over the site's appearance, if not it's functionality, which could be used to trick users into taking actions they wouldn't otherwise take. (For example, add a banner telling users they need to reset their password, then style the user settings page to make their public profile description field look like the input box for "current password".)
answered 2 days ago
Ajedi32
2,61611347
Yes, this code is vulnerable, but not to XSS. The subdomain variable's value can indeed be controlled by an attacker, but that variable is only used to set the href parameter of a CSS stylesheet; which won't accept JavaScript code. However, controlling this value does still allow CSS injection.
The stylesheet's href is prefixed by /, but an attacker can still point it to an arbitrary page by adding another slash to form a protocol-relative URL pointing to the attacker's server. (E.g. //evilsite.com/payload.css.) This would allow the attacker to get complete control over the site's appearance, if not it's functionality, which could be used to trick users into taking actions they wouldn't otherwise take. (For example, add a banner telling users they need to reset their password, then style the user settings page to make their public profile description field look like the input box for "current password".)
answered 2 days ago
Ajedi32
2,61611347
edited 2 days ago
answered 2 days ago
Ajedi32
2,61611347
answered 2 days ago
Ajedi32
2,61611347
answered 2 days ago
Ajedi32
2,61611347
2,61611347
CSS might contain executable code - not for all browsers, but still.
– Bergi
2 days ago
add a comment |Â
CSS might contain executable code - not for all browsers, but still.
– Bergi
2 days ago
CSS might contain executable code - not for all browsers, but still.
– Bergi
2 days ago
CSS might contain executable code - not for all browsers, but still.
– Bergi
2 days ago
add a comment |Â
up vote
5
down vote
Any ideas if this code is vulnerable and how can it be exploited?
As mentioned in the comments, this code could be vulnerable to CSS injection.
For example, if the URL looks like:
http://some.company.com/p1=test&css=/evil.com/more_evil
Then this javascript will create a new link in the header like:
link rel="stylesheet" href="//evil.com/more_evil.css"
Which is a valid URL (even without the scheme http/https), which can access the remote CSS file.
answered 2 days ago
hft
1,001617
You could avoid this specific issue by changing the regex to: /[?&]css=([a-zA-z]*)/
– hft
2 days ago
add a comment |Â
up vote
5
down vote
Any ideas if this code is vulnerable and how can it be exploited?
As mentioned in the comments, this code could be vulnerable to CSS injection.
For example, if the URL looks like:
http://some.company.com/p1=test&css=/evil.com/more_evil
Then this javascript will create a new link in the header like:
link rel="stylesheet" href="//evil.com/more_evil.css"
Which is a valid URL (even without the scheme http/https), which can access the remote CSS file.
answered 2 days ago
hft
1,001617
You could avoid this specific issue by changing the regex to: /[?&]css=([a-zA-z]*)/
– hft
2 days ago
add a comment |Â
up vote
5
down vote
up vote
5
down vote
Any ideas if this code is vulnerable and how can it be exploited?
As mentioned in the comments, this code could be vulnerable to CSS injection.
For example, if the URL looks like:
http://some.company.com/p1=test&css=/evil.com/more_evil
Then this javascript will create a new link in the header like:
link rel="stylesheet" href="//evil.com/more_evil.css"
Which is a valid URL (even without the scheme http/https), which can access the remote CSS file.
answered 2 days ago
hft
1,001617
Any ideas if this code is vulnerable and how can it be exploited?
As mentioned in the comments, this code could be vulnerable to CSS injection.
For example, if the URL looks like:
http://some.company.com/p1=test&css=/evil.com/more_evil
Then this javascript will create a new link in the header like:
link rel="stylesheet" href="//evil.com/more_evil.css"
Which is a valid URL (even without the scheme http/https), which can access the remote CSS file.
answered 2 days ago
hft
1,001617
answered 2 days ago
hft
1,001617
answered 2 days ago
hft
1,001617
answered 2 days ago
hft
1,001617
1,001617
You could avoid this specific issue by changing the regex to: /[?&]css=([a-zA-z]*)/
– hft
2 days ago
add a comment |Â
You could avoid this specific issue by changing the regex to: /[?&]css=([a-zA-z]*)/
– hft
2 days ago
You could avoid this specific issue by changing the regex to: /[?&]css=([a-zA-z]*)/
– hft
2 days ago
You could avoid this specific issue by changing the regex to: /[?&]css=([a-zA-z]*)/
– hft
2 days ago
add a comment |Â
up vote
1
down vote
It is vulnerable but you can solve that easily with whitelisting:
var allowedBrands = ['brand1', 'brand2', 'brand3'],
query = /[?&]css=([A-Za-z0-9]*)/i.exec(window.location.search);
if (query && allowedBrands.indexOf(query[1]))
return query[1];
else
return allowedBrands[0]; // this is the default value
answered yesterday
MatÃas Pizarro
111
New contributor
MatÃas Pizarro is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |Â
up vote
1
down vote
It is vulnerable but you can solve that easily with whitelisting:
var allowedBrands = ['brand1', 'brand2', 'brand3'],
query = /[?&]css=([A-Za-z0-9]*)/i.exec(window.location.search);
if (query && allowedBrands.indexOf(query[1]))
return query[1];
else
return allowedBrands[0]; // this is the default value
answered yesterday
MatÃas Pizarro
111
New contributor
MatÃas Pizarro is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |Â
up vote
1
down vote
up vote
1
down vote
It is vulnerable but you can solve that easily with whitelisting:
var allowedBrands = ['brand1', 'brand2', 'brand3'],
query = /[?&]css=([A-Za-z0-9]*)/i.exec(window.location.search);
if (query && allowedBrands.indexOf(query[1]))
return query[1];
else
return allowedBrands[0]; // this is the default value
answered yesterday
MatÃas Pizarro
111
New contributor
MatÃas Pizarro is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
It is vulnerable but you can solve that easily with whitelisting:
var allowedBrands = ['brand1', 'brand2', 'brand3'],
query = /[?&]css=([A-Za-z0-9]*)/i.exec(window.location.search);
if (query && allowedBrands.indexOf(query[1]))
return query[1];
else
return allowedBrands[0]; // this is the default value
answered yesterday
MatÃas Pizarro
111
New contributor
MatÃas Pizarro is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
answered yesterday
MatÃas Pizarro
111
New contributor
MatÃas Pizarro is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
answered yesterday
MatÃas Pizarro
111
answered yesterday
MatÃas Pizarro
111
111
New contributor
MatÃas Pizarro is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
New contributor
MatÃas Pizarro is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
MatÃas Pizarro is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |Â
add a comment |Â
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f193397%2fis-this-code-vulnerable-to-reflected-xss%23new-answer', 'question_page');
);
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
1
//domain.tld/bad.cssis a potentially valid url. no xss, but a css injection potential.– dandavis
2 days ago