Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

False Negative in innerHTML example #21

Open
GoogleCodeExporter opened this issue Nov 13, 2015 · 7 comments
Open

False Negative in innerHTML example #21

GoogleCodeExporter opened this issue Nov 13, 2015 · 7 comments
Labels
auto-migrated Priority-Medium Type-Defect

Comments

@GoogleCodeExporter
Copy link 

What steps will reproduce the problem?
1. Load URL http://cloudscan.org
2. Script Code from document.location executes via DOM manipulation by 
innerHTML property in https://a12.alpha.godaddy.com
3. Can also use DOMinator from OWASP to see same, Acunetix etc..

What is the expected output? What do you see instead?
Expected to fingerprint DOM-XSS in document.location path part at innerHTML and 
also vuln are location.ToString and referrer.

What version of the product are you using? On what operating system?
I am using Windows 2008 R2 Server 64bit with Chrome 12.0.742.122 and 
the download for DOMSnitch.. great tool!

This is a False Negative report on the assumption that is should be 
fingerprinting on innerHTML.. but perhaps I am reading your spec wrong.

Sorry of this is noise...

Original issue reported on code.google.com by [email protected] on 22 Jul 2011 at 2:44
@GoogleCodeExporter
Copy link
Author 

This issue seems similar to Issue 18. There is already an action item to 
address this.

Original comment by [email protected] on 23 Jul 2011 at 1:47

  • Changed state: Accepted

@GoogleCodeExporter
Copy link
Author 

Hi! Great tool you've released and thank you for the response in #18, great 
info for those learning.

Original comment by [email protected] on 23 Jul 2011 at 2:08

@GoogleCodeExporter
Copy link
Author 

Marking this as duplicate of Issue 18. Please follow/comment the issue there.

Original comment by [email protected] on 1 Sep 2011 at 8:23

  • Changed state: Duplicate

@GoogleCodeExporter
Copy link
Author 

Re-opening as separate bug to track.

Original comment by [email protected] on 1 Sep 2011 at 4:28

  • Changed state: Accepted

@GoogleCodeExporter
Copy link
Author 

Hi!

Thanks for reopening ticket!

Global URL = http://cloudscan.org
Offending JS = https://a12.alphagodaddy.com/hosting_ads/gd01.js

Issues by UA | Chrome DOMSnitch Report
==========================================
Loading of CSS from an untrusted origin
Loading of scripts from an untrusted origin

Issues by UA | DOMinator Report
==========================================
Sources of Tainted Input: location.toString | referer

Acunetix Web Vulnerability Scanner, August 2011 Build
==========================================
JS executes from document.location path part via innerHTML in 
https://a12.alphagodaddy.com/hosting_ads/gd01.js at line 26,28.

Suggestion: Consider sighting the sources and sinks.. line numbers of offensive 
code, and a complete stack trace for repro.. a la Acunetix or DOMinator

Question: Different results all around.. I'm asking if you can run thru the 
Global.URL yourself and compare and contrast the output of DOMinator vs. 
DOMSnitch vs. Acunetix.

Post your own results, and I'll do the same.. I think it will be a great 
learning example for all, immho...

-D

Original comment by [email protected] on 1 Sep 2011 at 5:41

@GoogleCodeExporter
Copy link
Author 

Hi!

Adding.. no output from stack trace in exported TXT File.. no trace in output...


-D

Original comment by [email protected] on 6 Sep 2011 at 1:04

@GoogleCodeExporter
Copy link
Author 

Hi!

w/r/t reporting, suggest that .. Mixed content through the HREF attribute of a 
LINK element ... be part of a weak programming skills / DORK Report .. 

w/r/t reporting, suggest that .. Loading of scripts from an untrusted origin. 
.. be part of a weak programming skills / DORK Report.. 

w/r/t parsing, when Referrer Data found with innerHTML, when matching on www, 
my and other vhost name..   injection of fqdn.vhost.tld results are FP .. 
(provided for those following the thread).. example ..  referrer data set to 
www.xss.cx or my.xss.cx etc.... FP

w/r/t parsing and malformed JSON, suggest that be included in weak programming 
skills / DORK Report.. 

w/r/t Report Format Suggestions.. consider developing a target analysis file, 
including sources, sinks, methods abused etc.... suggest include other output 
from the Scope on Wiki or a pointer URL etc.. often we compare the intended 
scope of DOMinator and DOMSnitch and then compare the results with our own 
analysis and often see a wide disparity in results... having the sources, 
sinks, methods abused etc.. with the stack trace can often help reducing FP, FN 
etc..  

I'll post a few comps in another comment using the webkit XSSAdmin scripts as 
example.

-D

Original comment by [email protected] on 6 Sep 2011 at 1:30

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
auto-migrated Priority-Medium Type-Defect
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@GoogleCodeExporter