ASF GitHub Bot logged work on HDDS-2111:

                Author: ASF GitHub Bot
            Created on: 16/Sep/19 14:59
            Start Date: 16/Sep/19 14:59
    Worklog Time Spent: 10m 
      Work Description: elek commented on issue #1447: HDDS-2111. XSS fragments 
can be injected to the S3g landing page  
URL: https://github.com/apache/hadoop/pull/1447#issuecomment-531816534
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:

Issue Time Tracking

    Worklog Id:     (was: 313034)
    Time Spent: 0.5h  (was: 20m)

> XSS fragments can be injected to the S3g landing page  
> -------------------------------------------------------
>                 Key: HDDS-2111
>                 URL: https://issues.apache.org/jira/browse/HDDS-2111
>             Project: Hadoop Distributed Data Store
>          Issue Type: Bug
>          Components: S3
>            Reporter: Aayush
>            Assignee: Elek, Marton
>            Priority: Major
>              Labels: pull-request-available
>          Time Spent: 0.5h
>  Remaining Estimate: 0h
> There is a way to bypass anti-XSS filter for DOM XSS exploiting a 
> "window.location.href".
> Considering a typical URL:
> scheme://domain:port/path?query_string#fragment_id
> Browsers encode correctly both "path" and "query_string", but not the 
> "fragment_id". 
> So if used "fragment_id" the vector is also not logged on Web Server.
> Chrome Version: 10.0.648.134 (Official Build 77917) beta
> This is an index.html page:
> {code:java}
> aws s3api --endpoint 
> <script>document.write(window.location.href.replace("static/", ""))</script> 
> create-bucket --bucket=wordcount</pre>
> {code}
> The attack vector is:
> index.html?#<script>alert('XSS');</script>
> * PoC:
> For your convenience, a minimalist PoC is located on:
> http://security.onofri.org/xss_location.html?#<script>alert('XSS');</script>
> * References
> - DOM Based Cross-Site Scripting or XSS of the Third Kind - 
> http://www.webappsec.org/projects/articles/071105.shtml
> reference:- 
> https://bugs.chromium.org/p/chromium/issues/detail?id=76796

This message was sent by Atlassian Jira

To unsubscribe, e-mail: hdfs-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: hdfs-issues-h...@hadoop.apache.org

Reply via email to