[ 
https://issues.apache.org/jira/browse/HDDS-2111?focusedWorklogId=313034&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-313034
 ]

ASF GitHub Bot logged work on HDDS-2111:
----------------------------------------

                Author: ASF GitHub Bot
            Created on: 16/Sep/19 14:59
            Start Date: 16/Sep/19 14:59
    Worklog Time Spent: 10m 
      Work Description: elek commented on issue #1447: HDDS-2111. XSS fragments 
can be injected to the S3g landing page  
URL: https://github.com/apache/hadoop/pull/1447#issuecomment-531816534
 
 
   /retest
 
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


Issue Time Tracking
-------------------

    Worklog Id:     (was: 313034)
    Time Spent: 0.5h  (was: 20m)

> XSS fragments can be injected to the S3g landing page  
> -------------------------------------------------------
>
>                 Key: HDDS-2111
>                 URL: https://issues.apache.org/jira/browse/HDDS-2111
>             Project: Hadoop Distributed Data Store
>          Issue Type: Bug
>          Components: S3
>            Reporter: Aayush
>            Assignee: Elek, Marton
>            Priority: Major
>              Labels: pull-request-available
>          Time Spent: 0.5h
>  Remaining Estimate: 0h
>
> VULNERABILITY DETAILS
> There is a way to bypass anti-XSS filter for DOM XSS exploiting a 
> "window.location.href".
> Considering a typical URL:
> scheme://domain:port/path?query_string#fragment_id
> Browsers encode correctly both "path" and "query_string", but not the 
> "fragment_id". 
> So if used "fragment_id" the vector is also not logged on Web Server.
> VERSION
> Chrome Version: 10.0.648.134 (Official Build 77917) beta
> REPRODUCTION CASE
> This is an index.html page:
> {code:java}
> aws s3api --endpoint 
> <script>document.write(window.location.href.replace("static/", ""))</script> 
> create-bucket --bucket=wordcount</pre>
> {code}
> The attack vector is:
> index.html?#<script>alert('XSS');</script>
> * PoC:
> For your convenience, a minimalist PoC is located on:
> http://security.onofri.org/xss_location.html?#<script>alert('XSS');</script>
> * References
> - DOM Based Cross-Site Scripting or XSS of the Third Kind - 
> http://www.webappsec.org/projects/articles/071105.shtml
> reference:- 
> https://bugs.chromium.org/p/chromium/issues/detail?id=76796



--
This message was sent by Atlassian Jira
(v8.3.2#803003)

---------------------------------------------------------------------
To unsubscribe, e-mail: hdfs-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: hdfs-issues-h...@hadoop.apache.org

Reply via email to