Facebook’s Parse – DOM XSS

2:01 PM

These are just some simple bugs that were present in Parse site. Considering the ease of exploitation, I am posting this to make sure other people can scan the JS code more intensively and find more bugs, it’s very likely.
The first vulnerable code was present in https://parse.com/apps/user_management:

document.getElementById('content').innerHTML =
          '<h1>This page lets you host Parse.com content from your own domain.</h1>' +
          '<p>Right click <a href="' + window.location.pathname + '">here</a> to save this page. ' +
          'Upload it to your own website and paste the URL in the "Parse Frame URL";

The problem is present because of using document.getElementById('content').innerHTML
With  window.location.pathname without no proper encoding.
This can be exploited with https://parse.com/apps/user_management/?/<payload> and that will be written in the href tag as a pathname. Ouch!

The second one at this same page:
if (param == 'link') {
            link = urlParams['link'];
}
var iframe = document.createElement('iframe');
iframe.setAttribute('src', link);

This one is easy to exploit, ?link=/closesrc><payload> would do the job!
some effective fixes have been in place now to use encodeURICompnent()! :)

Hope you find this useful and find similar bugs!

Mar 30, 2015 – Initial Report
Mar 30, 2015 – More clarification sent
Mar 31, 2015 – Report got escalated
Apr 2, 2015 – Fix and Bounty!

You Might Also Like

6 comments

  1. can you give me a direction for dom xss i meant see i know js and today i started learning js dom like in your recent post you write > document.getElementById('content').innerHTML
    With window.location.pathname without no proper encoding.
    but why add ? to execute payload i meant how to know which thing to add like first one i got but in second why u added closesrc can you post a article about these

    ReplyDelete
    Replies
    1. Hi, I didn't give explicit details because I taught they would be obvious to the regular hunters and pen testers.
      document.getElementById('content').innerHTML = document.location.pathname implies that to find the element (in this case div with the id content) and make its innerHTML contain the page's path. since we can control the pages path, we can give it a malicious input. when it is rendered back to the HTML, the malicious input gets reflected and causes XSS.

      I hope this helps!

      Delete
  2. hii i need an parse account for test something..but facebook not allow new users to sign up..can you give a parse account if you have i need it...my email is Krishnasharma14u@gmail.com

    ReplyDelete
  3. please help me..i will pay you for parse.com account

    ReplyDelete