bugbounty

Facebook’s Parse – DOM XSS

2:01 PM

These are just some simple bugs that were present in Parse site. Considering the ease of exploitation, I am posting this to make sure other people can scan the JS code more intensively and find more bugs, it’s very likely.
The first vulnerable code was present in https://parse.com/apps/user_management:

document.getElementById('content').innerHTML =
          '<h1>This page lets you host Parse.com content from your own domain.</h1>' +
          '<p>Right click <a href="' + window.location.pathname + '">here</a> to save this page. ' +
          'Upload it to your own website and paste the URL in the "Parse Frame URL";

The problem is present because of using document.getElementById('content').innerHTML
With  window.location.pathname without no proper encoding.
This can be exploited with https://parse.com/apps/user_management/?/<payload> and that will be written in the href tag as a pathname. Ouch!

The second one at this same page:
if (param == 'link') {
            link = urlParams['link'];
}
var iframe = document.createElement('iframe');
iframe.setAttribute('src', link);

This one is easy to exploit, ?link=/closesrc><payload> would do the job!
some effective fixes have been in place now to use encodeURICompnent()! :)

Hope you find this useful and find similar bugs!

Mar 30, 2015 – Initial Report
Mar 30, 2015 – More clarification sent
Mar 31, 2015 – Report got escalated
Apr 2, 2015 – Fix and Bounty!