XSS hazard: HTML body text interpolated as <script> content through backticks

RESOLVED INVALID

Status

()

RESOLVED INVALID
3 years ago
3 years ago

People

(Reporter: dveditz, Unassigned)

Tracking

43 Branch
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(2 attachments)

(Reporter)

Description

3 years ago
Created attachment 8694871 [details]
alerttest.html

serazoli reported odd behavior to the security alias: HTML body text is being interpolated into a script tag due to backticks. A document consisting of:

  alert('aaa');             
  `<script src=""></script>`

Will display the expected body text

   alert('aaa')` `

but it will also unexpectedly fire the alert.

I didn't think that was how ES6 template strings worked, and in any case this is HTML body text and not in JS.
(Reporter)

Comment 1

3 years ago
My expected results text above is wrong, Firefox does also show the semi-colon as you'd expect (see the attachment).

Henri: any idea what the parser is doing here?
Flags: needinfo?(hsivonen)
(Reporter)

Comment 2

3 years ago
Created attachment 8694990 [details]
Original PoC

The original PoC had quite a bit more HTML markup inside the grave-quoted string between the alert text and the script tag. I edited it down for a minimal testcase but it's somewhat interesting to see how far back the script tag can reach.

Comment 3

3 years ago
Oh!  Right!  Jesse pointed out to me that <script src=""></script> resolves the empty-string location to the current location.  So then you have an HTML page with some garbage text that includes a script element that loads the page as a script.  Then the page source evaluates an alert() call as one expression/statement, then evaluates a template string containing a script element with no observable side effect.

So, this is working basically the way it should.  The weird thing is that src="" will load the current page as a script.  Once you do that, you get whatever is in the current page, that happens to evaluate as a script.  I don't think, once you set aside the load of a script with executable contents, there's anything worrisomely XSS about this.

Updated

3 years ago
Flags: needinfo?(hsivonen)
(Reporter)

Comment 4

3 years ago
Thanks Jesse! 

In a real page that someone's trying to XSS there's a vanishingly small chance that the entire page will correctly evaluate as a syntactically valid script, and any syntax error prevents execution of anything.

The given testcase doesn't work on Chrome (maybe they don't support ` strings yet), and apparently they don't treat src="" as a self-reference, but with a minor modification this behavior works in other browsers, at least when loaded from a file: url. I've heard Chrome is going to require (has?) correct Content-Type for <script> source files, but that has to be relaxed for file: urls.

  alert('aaa');
  ' <script src="#foo"></script> '    

Surprising behavior, but makes sense in hindsight.
Group: core-security
Status: NEW → RESOLVED
Last Resolved: 3 years ago
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.