Merge pull request #6 from yamakira/dom-xss-docs

Updated docs to add DOM XSS issue.
0xCollab · Aug 28, 2018 · 5817495 · 5817495
2 parents d4bbc0d + ee325ca
commit 5817495
Showing 1 changed file with 35 additions and 1 deletion.
diff --git a/docs/solution/a7-xss.md b/docs/solution/a7-xss.md
@@ -81,6 +81,40 @@ Implemented in the following files
 
 The fix has been implemented in this [commit](https://github.com/appsecco/dvna/commit/6acbb14b51df84d4c4986d95f8fa4e3a6d600e35)
 
+## DOM XSS in user listing
+
+- When registering a user, use the value `<img src="a" onerror="alert(document.domain)">` for "Name"
+- When any logged in user visits `/app/admin/users`, an XHR GET request is made to `/app/admin/usersapi` to retrieve the details of users on the application. The details retrieved are used to update the page using `innerHTML` and the details are rendered directly thus making the page vulnerable to XSS
+
+**Vulnerable Code snippet**
+
+*views/app/adminusers.ejs*
+
+```
+...
+c_id.innerHTML = users[i].id;
+c_name.innerHTML = users[i].name;
+c_email.innerHTML = users[i].email;
+...
+```
+
+User supplied input is injected into the page as markup using `innerHTML`. This issue can be exploited to inject arbitrary scripting code to perform a Cross-site Scripting attack.
+
+**Solution**
+
+```
+...
+c_id.textContent = users[i].id;
+c_name.textContent = users[i].name;
+c_email.textContent = users[i].email;
+...
+```
+The most fundamental safe way to populate the DOM with untrusted data is to use the safe assignment property, `textContent`.
+
+**Fixes**
+
+TBD
+
 **Recommendation**
 
 - Use Security header `X-XSS-Protection` to prevent reflected XSS attacks
@@ -92,4 +126,4 @@ The fix has been implemented in this [commit](https://github.com/appsecco/dvna/c
 **Reference**
 
 - <https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)>
-- <https://www.npmjs.com/package/xss-filters>
+- <https://www.npmjs.com/package/xss-filters>