Xss using dynamically generated js file

Arbaz Hussain
Jul 19, 2017 · 2 min read

Severity : High

Complexity: Medium

Weakness: Disclosing JS endpoint & not sanitizing User Input

— — — — — — — — — — — — — — — — — — — — — — — — — — — —

Discovery :

  • While checking Burp Proxy Request’s I came across following JavaScript file.

https://www.site.com/mvcs/kt/tags/pclntny.js

  • I started brute-forcing for any parameter for JS endpoint and found ?cb=
  • Which Take’s the user input and append it to getScript Calling Function Since the Content type is text/plain. So we Need to Find a Way to Render our Input .

https://www.site.com/mvcs/kt/tags/pclntny.js?cb=xxxxxxxxx

Image for post
Image for post
  • We know that JS file’s doesn’t care about SOP & can be access by making cross domain request’s , Luckily there was no X-Content-Sniffing Header aswell .

Now the Task was to Find Where , https://www.site.com/mvcs/kt/tags/pclntny.js js file is being rendered in HTML/Javascript under https://www.site.com/

  • I Used Burp Proxy Search Filter option to look for that endpoint .
Image for post
Image for post

Found that it is used in https://www.site.com/user/public/apps/tags?val=pcltny.js

<script type="text/javascript" src="/mvcs/kt/tags/pclntny.js" />.
.
.
.
.
var Doc = uri.queryKey['cb'];

— — — — — — — — — — — — — — — — — — — — — — — — — — — — — — -

Exploitation :

  • Simple POC :
<html>
<body>
<script src="https://www.site.com/mvcs/kt/tags/pclntny.js?cb=xxxx')<PAYLOAD-HERE>;">...window.open(https://www.site.com/user/public/apps/tags?val=pcltny.js, '_blank').focus();</script>
</body>
</html>

— — — — — — — — — — — — — — — — — — — — — — — — — — — — — — -

  • Able to Bypass their Cross domain Policy by injecting AJAX Request’s

Tools: https://github.com/maK-/parameth For checking Parameter’s .

Reference :

Image for post
Image for post
Nice and Little Bounty!

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store