Facebook’s Parse – DOM XSS

2:01 PM

Here are some client-side bugs that were present in Parse.com homepage:

The first vulnerable code was present in https://parse.com/apps/user_management:

document.getElementById('content').innerHTML =
          '<h1>This page lets you host Parse.com content from your own domain.</h1>' +
          '<p>Right click <a href="' + window.location.pathname + '">here</a> to save this page. ' +
          'Upload it to your own website and paste the URL in the "Parse Frame URL";

The problem is present because of using document.getElementById('content').innerHTML
With  window.location.pathname without no proper encoding.
This can be exploited with https://parse.com/apps/user_management/?/<payload> and that will be written in the href tag as a pathname. Ouch! This vulnerability is only Exploitable in Internet Explorer 11

The second one at this same page:
if (param == 'link') {
            link = urlParams['link'];
var iframe = document.createElement('iframe');
iframe.setAttribute('src', link);

This one is easy to exploit, ?link=/closesrc><payload> would do the job!
some effective fixes have been in place now to use encodeURICompnent()! :)

Hope you find this useful and find similar bugs!

Dec 30, 2014 – Initial Triage
Mar 30, 2015 – More clarification sent
Mar 31, 2015 – Report got escalated
Apr 2, 2015 – Fix and Bounty!

You Might Also Like


  1. can you give me a direction for dom xss i meant see i know js and today i started learning js dom like in your recent post you write > document.getElementById('content').innerHTML
    With window.location.pathname without no proper encoding.
    but why add ? to execute payload i meant how to know which thing to add like first one i got but in second why u added closesrc can you post a article about these

    1. Hi, I didn't give explicit details because I taught they would be obvious to the regular hunters and pen testers.
      document.getElementById('content').innerHTML = document.location.pathname implies that to find the element (in this case div with the id content) and make its innerHTML contain the page's path. since we can control the pages path, we can give it a malicious input. when it is rendered back to the HTML, the malicious input gets reflected and causes XSS.

      I hope this helps!

  2. Hi! How much reward did you get?

  3. hii i need an parse account for test something..but facebook not allow new users to sign up..can you give a parse account if you have i need it...my email is Krishnasharma14u@gmail.com

  4. please help me..i will pay you for parse.com account

  5. Hi, Great.. Tutorial is just awesome..It is really helpful for a newbie like me.. I am a regular follower of your blog. Really very informative post you shared here. Kindly keep blogging. If anyone wants to become a Front end developer learn from Javascript Training in Chennai . or Javascript Training in Chennai. Nowadays JavaScript has tons of job opportunities on various vertical industry. JavaScript Training in Chennai


Note: Only a member of this blog may post a comment.