Is it possible to perform a XSS attack using jQuery's .attr(attributeName, value) method in the following context?

问题: Given is the following html fragment: <div id="div001" title="abc">Test</div> Is it possible to perform a XSS attack when the attacker can provide an arbit...

问题:

Given is the following html fragment:

<div id="div001" title="abc">Test</div>

Is it possible to perform a XSS attack when the attacker can provide an arbitrary value for the variable unsafe_string in the following context:

$('#div001').attr("title", unsafe_string);

My question is: Is it possible to break out of the attribute value so that some malicious code can get injected and executed? The attacker has only control of unsafe_string and nothing else.

I could for example observe that

$('#div001').attr("title", '"');

results in

$('#div001').attr("title") = """

回答1:

Yes, there are a number of vulnerabilities in this code:

  1. execution of malicious javascript when you execute $('#div001').attr("title", unsafe_string);
  2. injection of malicious javascript in the attibute value (title)
  3. injection of html in the attribute value

You have to escape the unsafe string to protect against all of these (and also you have to validate the unsafe string when you save it in your application). I suggest using an existing security library for this, depending on your technology stack. See more here: https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet


回答2:

No, as jQuery takes care of escaping the content of unsafe_string, so that it is not possible to break out of the attribute value. Writing html or javascript code into the attribute value via jQuery's attr() function will escape the string and will not get interpreted as html or executed as javascript code.

The escaping behaviour can be checked by looking at $('#div001')[0].outerHTML.

  • 发表于 2019-02-14 19:33
  • 阅读 ( 238 )
  • 分类:网络文章

条评论

请先 登录 后评论
不写代码的码农
小编

篇文章

作家榜 »

  1. 小编 文章
返回顶部
部分文章转自于网络,若有侵权请联系我们删除