Facebook’s Parse – DOM XSS

2:01 PM

Here are some client-side bugs that were present in Parse.com homepage:

The first vulnerable code was present in https://parse.com/apps/user_management:

document.getElementById('content').innerHTML =
          '<h1>This page lets you host Parse.com content from your own domain.</h1>' +
          '<p>Right click <a href="' + window.location.pathname + '">here</a> to save this page. ' +
          'Upload it to your own website and paste the URL in the "Parse Frame URL";

The problem is present because of using document.getElementById('content').innerHTML
With  window.location.pathname without no proper encoding.
This can be exploited with https://parse.com/apps/user_management/?/<payload> and that will be written in the href tag as a pathname. Ouch! This vulnerability is only Exploitable in Internet Explorer 11

The second one at this same page:
if (param == 'link') {
            link = urlParams['link'];
var iframe = document.createElement('iframe');
iframe.setAttribute('src', link);

This one is easy to exploit, ?link=/closesrc><payload> would do the job!
some effective fixes have been in place now to use encodeURICompnent()! :)

Hope you find this useful and find similar bugs!

Dec 30, 2014 – Initial Triage
Mar 30, 2015 – More clarification sent
Mar 31, 2015 – Report got escalated
Apr 2, 2015 – Fix and Bounty!