Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Arbitrary Same-Origin Stored XSS on React + HTML Outputs #1082

Open
bliutech opened this issue Aug 30, 2023 · 2 comments
Open

Arbitrary Same-Origin Stored XSS on React + HTML Outputs #1082

bliutech opened this issue Aug 30, 2023 · 2 comments
Assignees
@tylerdtran
Labels
bug Something isn't working security Pull requests that address a security vulnerability

Comments

@bliutech
Copy link
Member

bliutech commented Aug 30, 2023
edited
Loading

Initially disclosed to @mizlan privately. Opening this issue for easier tracking and documentation.

Vulnerability

On https://editor.uclaacm.com, there is an arbitrary Same-Origin Stored XSS for outputs of the editor specifically for both React & HTML. The issue arrises from lack of sandboxing of the output while using srcdoc causing the embedded content to be on the same origin as the editor (source code). The impact could be that an adversary is able to share a page with a payload which could exfiltrate private data about a user or lead to arbitrary writes or downloads.

POC

React:
image

HTML:
image

Fix

The solution to this is to introduce the sandbox property to the output iframe. This can be done in the following source code with a behavior of sandbox="allow-scripts allow-modals". This would allow many of the current features to be maintained while allowing resources to be isolated by the Same-Origin Policy.

image
@bliutech bliutech added bug Something isn't working security Pull requests that address a security vulnerability labels Aug 30, 2023
@mizlan
Copy link
Member

mizlan commented Aug 31, 2023

What are some tests I can do after a fix to ensure I've resolved the problem? @bliutech

Is it enough to check the document.domain property?

@bliutech
Copy link
Member Author

Yes. If the origins are not the same, then the Same-Origin Policy applies which should address this issue. 👍

@tylerdtran tylerdtran self-assigned this Nov 15, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@tylerdtran tylerdtran

Labels
bug Something isn't working security Pull requests that address a security vulnerability
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@mizlan @bliutech @tylerdtran