Hacker Read

tester34 · 2021-07-01 12:04:06

but, what's the actual issue?

XSS?

what's the vector attack here?

where the `text` comes from?

lucideer | karma 13373 | avg karma 3.96 · | 2020-11-09 12:38:25+00:00

> If a server sends my browser text, however, and my idiot browser executes it as code, that's also a server flaw.

XSS is not the server sending your browser text, that your idiot browser executes as code. XSS is the idiot server sending the browser code that the server thinks is text. The browser's job is to execute code the server sends it: the browser trusts the server, and it's the server's job to ensure what it's sending as code is code and what it's sending as text is text.

reply

pjc50 | karma 93685 | avg karma 3.72 · | 2020-11-09 13:03:22

> If a server sends my browser text, however, and my idiot browser executes it as code

That's entirely normal.

There's no hard distinction between "text" and "code", and there always end up being leaks in the systems designed to keep them apart.

In the case of XSS, the difference is between "text" of the webpage that you're supposed to execute and "text" that was inserted into the web page from somewhere else.

reply

knassy | karma 23 | avg karma 1.77 · | 2014-03-10 02:24:24+00:00

I'm interested in what's happening here. Can you provide a link/more info on what the XSS issue is?

(I honestly don't know and would love to learn about this. Thanks)

reply

strommen | karma 1068 | avg karma 5.37 · | 2015-05-20 19:08:17

> The Genericons icon font package, which is used in a number of popular themes and plugins, contained an HTML file vulnerable to a cross-site scripting attack.

How can an HTML file be vulnerable to XSS?

reply

jannyfer | karma 403 | avg karma 3.08 · | 2018-06-21 14:59:27

Mind explaining how that text input field creates an XSS opportunity?

> XSS enables attackers to inject client-side scripts into web pages viewed by other users.

Nobody other than you will see your alert("this is bad") so this doesn't seem like XSS.

reply

girvo | karma 11277 | avg karma 2.24 · | 2013-12-01 13:43:23+00:00

Oh true. What kind of issue, XSS or something else? (just generically, not specifics)

ptx | karma 4263 | avg karma 2.44 · | 2024-02-11 19:29:36

> Whenever anything is sent to the server from the browser, we need proper validation. Input should be properly sanitized before being sent to the server.

That doesn't sound right. If the attack vector is reflected XSS, i.e. that code (HTML/JS/etc.) is taken from the attacker's input, stored in the database by the server and later injected straight into another user's page, sanitizing it "before being sent to the server" would mean relying on the attacker helpfully sanitizing their own data.

reply

vertex-four | karma 8023 | avg karma 2.57 · | 2014-10-30 09:58:56+00:00

> Something like a Markdown converter seems less likely, though not impossible.

Really? I've found serious XSS bugs in frameworks that are semi-popular for writing real-time applications with a web component. What's outputted from your Markdown converter is generally assumed to be trusted HTML. Additionally, if it's not written in a language with good string support... it has string processing, which could lead to a crash or buffer overflow easily. It seems that a Markdown converter is exactly the sort of place you'd be likely to find an attack vector.

reply

sytringy05 | karma 253 | avg karma 2.14 · | 2023-06-26 00:54:14

Pretty interesting way to run what's in effect a XSS attack.

enormousness | karma 15 | avg karma 0.94 · | 2023-12-20 01:55:30

This approach is also ripe for an XSS exploit.

bencoder | karma 788 | avg karma 2.91 · | 2016-08-19 19:09:26+00:00

Looks like someone has found an XSS attack :D

foota | karma 6719 | avg karma 2.15 · | 2017-12-10 23:36:52

innerHtml wouldn't eliminate xss vectors though, things like load=something could bypass this.

uaygsfdbzf | karma 242 | avg karma 1.25 · | 2014-02-16 12:44:33+00:00

Ehh.. that's some serious XSS vulnerability there.

thephyber | karma 4253 | avg karma 2.05 · | 2017-06-08 20:07:53+00:00

> Lastly, “DOM-based XSS” attacks occur purely in the browser when client-side JavaScript echoes back a portion of the URL onto the page.

This Google Doc has tracked almost all "sinks" and "sources" for DOM-based XSS[1]. They aren't by any means limited to the URL (usually accessed by the `document.location` object).

[1] https://docs.google.com/spreadsheets/d/1Mnuqkbs9L-s3QpQtUrOk...

reply

zlies | karma 33 | avg karma 3.0 · | 2024-05-03 21:31:04

Seems like there are some XSS vulnerabilities :D

eloisant | karma 5215 | avg karma 3.54 · | 2012-11-29 12:53:43+00:00

tl;dr; XSS is a security hole.

namarkiv | karma 217 | avg karma 5.86 · | 2013-12-01 13:44:18

Not XSS. I will disclose more once it is fixed.

0x0 | karma 17884 | avg karma 5.06 · | 2013-01-26 21:49:11+00:00

Hello, XSS :)

gregmolnar | karma 668 | avg karma 6.3 · | 2022-02-22 00:02:17

There is an XSS vulnerability at the comments.