Facebook’s Parse – DOM XSS
2:01 PM
Here are some client-side bugs that were present in Parse.com homepage:
document.getElementById('content').innerHTML =
This one is easy to exploit, ?link=/closesrc><payload> would do the job!
The first vulnerable code was present in https://parse.com/apps/user_management:
document.getElementById('content').innerHTML =
'<h1>This page lets you host
Parse.com content from your own domain.</h1>' +
'<p>Right click <a href="'
+ window.location.pathname + '">here</a> to save this page. ' +
'Upload it to your own website and paste the
URL in the "Parse Frame URL";
The
problem is present because of using document.getElementById('content').innerHTML
With window.location.pathname without no proper encoding.
This can be exploited with https://parse.com/apps/user_management/?/<payload>
and that will be written in the href tag as a pathname. Ouch! This vulnerability is only Exploitable in Internet Explorer 11
The second one at this same page:
The second one at this same page:
if (param == 'link') {
link =
urlParams['link'];
}
var iframe = document.createElement('iframe');
iframe.setAttribute('src', link);
This one is easy to exploit, ?link=/closesrc><payload> would do the job!
some effective fixes have been in place now to use encodeURICompnent()! :)
Hope you find this useful and find similar bugs!
Hope you find this useful and find similar bugs!
Dec 30, 2014 – Initial Triage
Mar 30, 2015 – More clarification sent
Mar 31, 2015 – Report got escalated
Apr 2, 2015 – Fix and Bounty!
8 comments
can you give me a direction for dom xss i meant see i know js and today i started learning js dom like in your recent post you write > document.getElementById('content').innerHTML
ReplyDeleteWith window.location.pathname without no proper encoding.
but why add ? to execute payload i meant how to know which thing to add like first one i got but in second why u added closesrc can you post a article about these
Hi, I didn't give explicit details because I taught they would be obvious to the regular hunters and pen testers.
Deletedocument.getElementById('content').innerHTML = document.location.pathname implies that to find the element (in this case div with the id content) and make its innerHTML contain the page's path. since we can control the pages path, we can give it a malicious input. when it is rendered back to the HTML, the malicious input gets reflected and causes XSS.
I hope this helps!
Hi! How much reward did you get?
ReplyDelete~1K.
Deletehii i need an parse account for test something..but facebook not allow new users to sign up..can you give a parse account if you have i need it...my email is Krishnasharma14u@gmail.com
ReplyDeleteplease help me..i will pay you for parse.com account
ReplyDeletewow , thanks you shared
ReplyDeletered hat linux training in chennai | rhce courses in chennai | red hat training in chennai |red hat courses in chennai
Hi, Great.. Tutorial is just awesome..It is really helpful for a newbie like me.. I am a regular follower of your blog. Really very informative post you shared here. Kindly keep blogging. If anyone wants to become a Front end developer learn from Javascript Training in Chennai . or Javascript Training in Chennai. Nowadays JavaScript has tons of job opportunities on various vertical industry. JavaScript Training in Chennai
ReplyDeleteNote: Only a member of this blog may post a comment.