Uploaded image for project: 'Hadoop Distributed Data Store'
  1. Hadoop Distributed Data Store
  2. HDDS-2111

XSS fragments can be injected to the S3g landing page

    XMLWordPrintableJSON

    Details

      Description

      VULNERABILITY DETAILS
      There is a way to bypass anti-XSS filter for DOM XSS exploiting a "window.location.href".

      Considering a typical URL:

      scheme://domain:port/path?query_string#fragment_id

      Browsers encode correctly both "path" and "query_string", but not the "fragment_id". 

      So if used "fragment_id" the vector is also not logged on Web Server.

      VERSION
      Chrome Version: 10.0.648.134 (Official Build 77917) beta

      REPRODUCTION CASE
      This is an index.html page:

      aws s3api --endpoint <script>document.write(window.location.href.replace("static/", ""))</script> create-bucket --bucket=wordcount</pre>
      

      The attack vector is:
      index.html?#<script>alert('XSS');</script>

      • References

      reference:- 

      https://bugs.chromium.org/p/chromium/issues/detail?id=76796

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                elek Marton Elek
                Reporter:
                adeo Aayush
              • Votes:
                0 Vote for this issue
                Watchers:
                5 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:

                  Time Tracking

                  Estimated:
                  Original Estimate - Not Specified
                  Not Specified
                  Remaining:
                  Remaining Estimate - 0h
                  0h
                  Logged:
                  Time Spent - 50m
                  50m