[ 
https://issues.apache.org/jira/browse/HDDS-2111?focusedWorklogId=312485&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-312485
 ]

ASF GitHub Bot logged work on HDDS-2111:
----------------------------------------

                Author: ASF GitHub Bot
            Created on: 14/Sep/19 03:34
            Start Date: 14/Sep/19 03:34
    Worklog Time Spent: 10m 
      Work Description: elek commented on pull request #1447: HDDS-2111. XSS 
fragments can be injected to the S3g landing page  
URL: https://github.com/apache/hadoop/pull/1447
 
 
   VULNERABILITY DETAILS
   There is a way to bypass anti-XSS filter for DOM XSS exploiting a 
"window.location.href".
   
   Considering a typical URL:
   
   scheme://domain:port/path?query_string#fragment_id
   
   Browsers encode correctly both "path" and "query_string", but not the 
"fragment_id". 
   
   So if used "fragment_id" the vector is also not logged on Web Server.
   
   VERSION
   Chrome Version: 10.0.648.134 (Official Build 77917) beta
   
   REPRODUCTION CASE
   This is an index.html page:
   
   
   {code:java}
   aws s3api --endpoint 
<script>document.write(window.location.href.replace("static/", ""))</script> 
create-bucket --bucket=wordcount</pre>
   {code}
   
   
   The attack vector is:
   index.html?#<script>alert('XSS');</script>
   
   * PoC:
   For your convenience, a minimalist PoC is located on:
   http://security.onofri.org/xss_location.html?#<script>alert('XSS');</script>
   
   * References
   - DOM Based Cross-Site Scripting or XSS of the Third Kind - 
http://www.webappsec.org/projects/articles/071105.shtml
   
   
   reference:- 
   
   https://bugs.chromium.org/p/chromium/issues/detail?id=76796
   
   See: https://issues.apache.org/jira/browse/HDDS-2111
 
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


Issue Time Tracking
-------------------

            Worklog Id:     (was: 312485)
    Remaining Estimate: 0h
            Time Spent: 10m

> XSS fragments can be injected to the S3g landing page  
> -------------------------------------------------------
>
>                 Key: HDDS-2111
>                 URL: https://issues.apache.org/jira/browse/HDDS-2111
>             Project: Hadoop Distributed Data Store
>          Issue Type: Bug
>          Components: S3
>            Reporter: Aayush
>            Assignee: Elek, Marton
>            Priority: Major
>              Labels: pull-request-available
>          Time Spent: 10m
>  Remaining Estimate: 0h
>
> VULNERABILITY DETAILS
> There is a way to bypass anti-XSS filter for DOM XSS exploiting a 
> "window.location.href".
> Considering a typical URL:
> scheme://domain:port/path?query_string#fragment_id
> Browsers encode correctly both "path" and "query_string", but not the 
> "fragment_id". 
> So if used "fragment_id" the vector is also not logged on Web Server.
> VERSION
> Chrome Version: 10.0.648.134 (Official Build 77917) beta
> REPRODUCTION CASE
> This is an index.html page:
> {code:java}
> aws s3api --endpoint 
> <script>document.write(window.location.href.replace("static/", ""))</script> 
> create-bucket --bucket=wordcount</pre>
> {code}
> The attack vector is:
> index.html?#<script>alert('XSS');</script>
> * PoC:
> For your convenience, a minimalist PoC is located on:
> http://security.onofri.org/xss_location.html?#<script>alert('XSS');</script>
> * References
> - DOM Based Cross-Site Scripting or XSS of the Third Kind - 
> http://www.webappsec.org/projects/articles/071105.shtml
> reference:- 
> https://bugs.chromium.org/p/chromium/issues/detail?id=76796



--
This message was sent by Atlassian Jira
(v8.3.2#803003)

---------------------------------------------------------------------
To unsubscribe, e-mail: hdfs-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: hdfs-issues-h...@hadoop.apache.org

Reply via email to