hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-27 01:35:13 +02:00
Code Issues Packages Projects Releases Wiki Activity

add QHelp for js/xss-through-dom query

Browse Source
This commit is contained in:
Erik Krogh Kristensen
2020-04-03 15:54:27 +02:00
parent 14b551f887
commit 1b80f46f30
3 changed files with 79 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

71
javascript/ql/src/Security/CWE-079/XssThroughDom.qhelp Normal file
View File

@@ -0,0 +1,71 @@
<!DOCTYPE qhelp PUBLIC
"-//Semmle//qhelp//EN"
"qhelp.dtd">
<qhelp>
<overview>
<p>
Writing text from a webpage to the same webpage without properly sanitizing the
input first, might allow for a cross-site scripting vulnerability.
</p>
<p>
A webpage with this vulnerability unescapes an otherwise sanitized text,
and thereby allows an attacker to use sanitized text in the DOM to perform a
cross-site scripting attack.
</p>
</overview>
<recommendation>
<p>
To guard against cross-site scripting, consider using contextual output encoding/escaping before
writing text to the page, or one of the other solutions that are mentioned in the references.
</p>
</recommendation>
<example>
<p>
The following example shows a webpage using a <code>data-target</code> attribute
to select and manipulate a DOM element using the JQuery library. In the example, the
<code>data-target</code> attribute is read into the <code>target</code> variable, and the
<code>$</code> function is then supposed to use the <code>target</code> variable as a CSS
selector to determine which element should be manipulated.
</p>
<sample src="examples/XssThroughDom.js" />
<p>
However, if an attacker can control the <code>data-target</code> attribute,
then the value of <code>target</code> can be used to cause the <code>$</code> function
to execute arbitary JavaScript.
</p>
<p>
The above vulnerability can be fixed by using <code>$.find</code> instead of <code>$</code>.
The <code>$.find</code> function will only interpret <code>target</code> as a CSS selector
and never as HTML, thereby preventing an XSS attack.
</p>
<sample src="examples/XssThroughDomFixed.js" />
</example>
<references>
<li>
OWASP:
<a href="https://cheatsheetseries.owasp.org/cheatsheets/DOM_based_XSS_Prevention_Cheat_Sheet.html">DOM based
XSS Prevention Cheat Sheet</a>.
</li>
<li>
OWASP:
<a href="https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html">XSS
(Cross Site Scripting) Prevention Cheat Sheet</a>.
</li>
<li>
OWASP
<a href="https://www.owasp.org/index.php/DOM_Based_XSS">DOM Based XSS</a>.
</li>
<li>
OWASP
<a href="https://www.owasp.org/index.php/Types_of_Cross-Site_Scripting">Types of Cross-Site
Scripting</a>.
</li>
<li>
Wikipedia: <a href="http://en.wikipedia.org/wiki/Cross-site_scripting">Cross-site scripting</a>.
</li>
</references>
</qhelp>

4
javascript/ql/src/Security/CWE-079/examples/XssThroughDom.js Normal file
View File

@@ -0,0 +1,4 @@
$("button").click(function () {
var target = this.attr("data-target");
$(target).hide();
});

4
javascript/ql/src/Security/CWE-079/examples/XssThroughDomFixed.js Normal file
View File

@@ -0,0 +1,4 @@
$("button").click(function () {
var target = this.attr("data-target");
$.find(target).hide();
});