DOM Based Cross-site Scripting example: Java Script does not get executed - javascript

I have recently read the following article about a DOM-based XSS:
https://www.netsparker.com/blog/web-security/dom-based-cross-site-scripting-vulnerability/
But the examples provided in the article are not working as described. I created the HTML example file:
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html>
<head></head>
<body>
<script>
document.write("<b>Current URL</b> : " + document.baseURI);
</script>
<h1> Welcome on my Example Page </h1>
</body>
</html>
I have put the above file in an application folder of a Web-Application deployed on the JBoss server and I have called the resource from my browser ( I have tried both IE 11 and Firefox). IE 11 shows the resulting HTML content like this:
Current URL : undefined
Welcome on my Example Page
while Firefox shows the resulting HTML content like this:
Current URL : https://localhost:8443/ukvlei/example.html
Welcome on my Example Page
In both cases, I can not force any of the browsers to execute the java script function after the # sign, as described in the article. When I type
https://localhost:8443/ukvlei/example.html#<script>alert(1)</script>
in the address bar of the browser, I get the following HTML content:
under IE 11:
Current URL : undefined
Welcome on my Example Page
under Firefox:
Current URL : https://localhost:8443/ukvlei/example.html#%3Cscript%3Ealert(1)%3C/script%3E
Welcome on my Example Page
What am I doing wrong, so that I cannot execute the java script in any of the browsers?
Thank you!

You haven't run the URI through decodeURIComponent so that the URI syntax is converted back to text.

I want to thank both #scagood and #Quentin, with whose help I got my question answered. So, the answer is:
1.) Apperantly the provided example in the article is out of date, as it is around three years old, so:
2.) Use window.location.href instead of document.baseURI;
3.) To make the example run both under IE and Firefox, decode the URL using decodeURIComponent.
So, the working example HTML file now looks like this:
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html>
<head></head>
<body>
<script>
document.write("<b>Current URL</b> : " + decodeURIComponent(window.location.href));
</script>
<h1> Welcome on my Example Page </h1>
</body>
</html>

Related

Unsecure content over https

I am getting the mixed content warning on a webapp I am working on when using the jsDatePick.
I have used fiddler and can confirm the problem is not caused by any image sources.
When a date is selected the following line is run:
window.location.href = "\something\something\day?=date" + this.getSelectedDateFormatted();
Would this be the cause of the problem?
The problem seems to be with a JsDatePick .js file. I have the same issue (mixed content). I'm unfortunately forced to use IE 8 for this project. The parent page is https, and I've minimalized the page to the following (this minimal page still gets the mixed content pop-up:
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"https://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<head>
<script type="text/javascript" src="jsDatePick.min.1.3.js"></script>
<script type="text/javascript" src="jquery-1.2.1.pack.js"></script>
<script type="text/javascript">
window.onload = function()
{
new JsDatePick({
useMode:2,
target:"date_range1",
dateFormat:"%m/%d/%Y"
});
};
</script>
</head>
<body>
<h1> Hey</h1>
</body>
</html>
No, because the protocol is not specified it should inherit the protocol of the parent page. Look for anything calling "http://" instead of "https://" in your page source.

java script error with document.write()

I am new to javascript and trying to execute the following code, could anyone tell me why only first document.write is being executed not the other ones.
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<title>my first java script</title>
</head>
<body>
<script type="text/javascript">
var myhello="hello world, welcome to java script";
var heading="a page of java script";
var linktag="wanna search on google";
var redtext="<span style=\"color:red\">I am so colorful today!</span>";
var begineffect="<strong>";
var endeffect="</strong>";
var beginpara="<p>";
var endpara="</p>";
document.write(begineffect+heading+endeffect);
document.write(begingpara);
document.write(hello);
document.write(endpara);
document.write(begingpara);
document.write(linktag);
document.write(endpara);
document.write(beginpara);
document.write(redtext);
document.write(endpara);
</script>
</body>
</html>
I have tested the following code in all web browser.
It is generating an error because you don't have a variable called hello
var hello = 'define something here';
document.write(hello);
Using a good browser like chrome, or firefox+firebug will reveal errors like this if you use the web inspector.
http://www.google.com/chrome/intl/en/webmasters-faq.html#jsexec
If you check your console (F12 in Chrome, or load Firebug for Firefox) you see this error:
Uncaught ReferenceError: begingpara is not defined
You have many typos and incorrect variable names (i.e. you have defined variables but used a different name when referencing them) - correct them and your code will run.
It overwrites everything so the others no longer exist

How to show exact URL with escaped characters in Safari?

I have a url like this : http://www.refskou.dk/safari-%F8.html
The file is named like this: safari-ø.html
The file consists of this:
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<script>
alert(this.location);
</script>
</head>
<body>
</body>
</html>
But it does not print out /safari-%F8.html nor safari-ø.html
It prints out the question mark indicating that it does not know of the character "ø".
All I want is to print out the URL as I see it in the address bar.
Please give me a hint. This is only a problem in Safari as far as I have testet.
I need to tell you that I do not have control over what kind of charset used on the page. I can only execute javascript :-)
In response to this answer.
The reason for the lack of control, is that I do a script that can be included to hopefully any webpage, and so I have no control over what kind of charset used. The included script can ofcouse have its own charset, introduced by the charset attribute on the "script" tag but I cannot get it to work.
unescape('/safari-%F8.html') == 'safari-ø.html'
Note that Safari still gives you a ?, but Chrome shows either a %F8 or ø
In Safari (nevermind):
var str = '/safari-%F8.html';
alert(str.replace(/%[A-F0-9]{2}/g, function(v){ return String.fromCharCode(parseInt(v.substr(1), 16)); }));
The above works on normal strings, but Safari is seeing that character as unicode 65533, and I'm not sure how to convert that back to ASCII 248...
Try the unescape javascript function:
alert(unescape(this.location));
I believe you'll need to specify a character set.
The first thing in your Head section...
<meta http-equiv="Content-Type" content="text/html;charset=utf-8" />
More Info Here
EDIT: I missed the part where the OP states he has no control over the character set on the page. I believe this is the root of the problem and wonder why he has no control over this.
Well I finally got it working. For some reason Safari cannot understand the strange characters when asking from this/window.location. But moving down a level to the document object and asking for the URL gives me just what I need. Why this is, I cannot tell you, but it solves the problem.

getElementsByTagNameNS in (X)HTML documents

I have a question on Javascript and DOM; shouldn't the following code retrieve the three foo:bar elements in the body? The alert window displays zero. It doesn't work in any browser I have (not even Chrome Canary). Thank you for helping, have a nice weekend.
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:foo="http://example.com">
<head>
<title>Hello!</title>
<script type="text/javascript">
function bodyLoad() {
var extElements = document.getElementsByTagNameNS('http://example.com', 'bar');
alert(extElements.length);
}
</script>
</head>
<body onload="bodyLoad();">
<foo:bar>First Foo-Bar</foo:bar>
<foo:bar>Second Foo-Bar</foo:bar>
<foo:bar>Third Foo-Bar</foo:bar>
</body>
</html>
You are likely serving the document with the wrong content type. The browser has to treat it as XML for namespaces to be recognized, so you need to use application/xhtml+xml or another XML content-type, and not text/html.
As an aside, your Doctype is wrong. If you want to use a DTD, then you will need one that includes the elements you are using from the foo namespace. If you don't, then just get rid of the Doctype — it has no bearing on rendering mode in XML documents (again, text/html documents are treated as tag soup, not XML).

javascript: "Object doesn't support this property or method" when ActiveX object called

I've got simple html on Login.aspx with an ActiveX object:
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head><title></title>
<script language="javaScript" type="text/javascript">
function getUserInfo()
{
var userInfo = MyActiveX.GetInfo();
form1.info.value = userInfo;
form1.submit();
}
</script>
</head>
<body onload="javascript:getUserInfo()">
<object id="MyActiveX" name="MyActiveX" codebase="MyActiveX.cab" classid="CLSID:C63E6630-047E-4C31-H457-425C8412JAI25"></object>
<form name="form1" method="post" action="Login.aspx">
<input type="hidden" id="info" name="info" value="" />
</form>
</body>
</html>
The code works perfectly fine on my machine (edit: hosted and run), it does't work on the other: there is an error "Object doesn't support this property or method" in the first line of javascript function. The cab file is in the same folder as the page file. I don't know javascript at all and have no idea why is the problem occuring. Googling didn't help. Do you ave any idea?
Edit: on both machines IE was used and activex was enabled.
Edit2: I also added if (document.MyActiveX) at the beggining of the function and I still get error in the same line of code - I mean it looks like document.MyActiveX is true but calling the method still fails
I think the onload event is making the function to run even before the ActiveX object is loaded. You may try the following instead:
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<title></title>
<script language="javaScript" type="text/javascript">
function getUserInfo(){
if(document.MyActiveX){
var userInfo = MyActiveX.GetInfo();
form1.info.value = userInfo;
form1.submit();
}
}
</script>
</head>
<body>
<object id="MyActiveX" name="MyActiveX" codebase="MyActiveX.cab" classid="CLSID:C63E6630-047E-4C31-H457-425C8412JAI25"></object>
<script for="window" event="onload" language="JavaScript">
window.setTimeout("getUserInfo()", 500);
</script>
<form name="form1" method="post" action="Login.aspx">
<input type="hidden" id="info" name="info" value="" />
</form>
</body>
</html>
Now the getUserInfo() function will start to run 500 milliseconds after the page is loaded. This must give some time for the ActiveX object to be loaded.
IE8 manages access to the ActiveX on domain level.
To fix it:
IE8, Tools -> Manage Add-ons
In "Toolbars and Extensions" find your ActiveX
Right click - More information
Click - Allow on all sites
Enjoy
maybe the browser on the other machine does not support activeX? just a wild guess
Maybe the ActiveX needs some prerequisite (For example CRuntime) that isn't present on the other machines? Have you tried running depends for the Activex on the hosting machine?
Maybe the other machine has a virus scanner or similar which silently prevents ActiveX use?

Categories