Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

Identity Server Security Bug: DOM text reinterpreted as HTML #19

Open
74 tasks
alexhiggins732 opened this issue Feb 16, 2024 · 0 comments · Fixed by #34
Open
74 tasks

Identity Server Security Bug: DOM text reinterpreted as HTML #19

alexhiggins732 opened this issue Feb 16, 2024 · 0 comments · Fixed by #34
Assignees
@alexhiggins732
Labels
bug Something isn't working dependencies Pull requests that update a dependency file
Milestone
Patched DotNet8 T...

Comments

@alexhiggins732
Copy link
Owner

alexhiggins732 commented Feb 16, 2024
edited
Loading

DOM text reinterpreted as HTML

The original Identity Server 4 code base has several medium impact security bugs detected by CodeQL scanning.

Description:

Extracting text from a DOM node and interpreting it as HTML can lead to a cross-site scripting vulnerability.

A webpage with this vulnerability reads text from the DOM, and afterwards adds the text as HTML to the DOM. Using text from the DOM as HTML effectively unescapes the text, and thereby invalidates any escaping done on the text. If an attacker is able to control the safe sanitized text, then this vulnerability can be exploited to perform a cross-site scripting attack.

Examples

Tool Rule ID Source
CodeQL js/unsafe-html-expansion wwroot/js/signin-redirect.js#L1-L1 
window.location.href = document.querySelector("meta[http-equiv=refresh]").getAttribute("data-url");

Issues:

Recommendation

To guard against cross-site scripting, consider using contextual output encoding/escaping before writing text to the page, or one of the other solutions that are mentioned in the References section below.

Example

The following example shows a webpage using a data-target attribute to select and manipulate a DOM element using the JQuery library. In the example, the data-target attribute is read into the target variable, and the $ function is then supposed to use the target variable as a CSS selector to determine which element should be manipulated.

$("button").click(function () {
    var target = $(this).attr("data-target");
    $(target).hide();
});

However, if an attacker can control the data-target attribute, then the value of target can be used to cause the $ function to execute arbitrary JavaScript.

The above vulnerability can be fixed by using $.find instead of $. The $.find function will only interpret target as a CSS selector and never as HTML, thereby preventing an XSS attack.

$("button").click(function () {
    var target = $(this).attr("data-target");
	$.find(target).hide();
});

References
@alexhiggins732 alexhiggins732 self-assigned this Feb 16, 2024
@alexhiggins732 alexhiggins732 added bug Something isn't working dependencies Pull requests that update a dependency file labels Feb 16, 2024
@alexhiggins732 alexhiggins732 mentioned this issue Feb 17, 2024
Merged
@alexhiggins732 alexhiggins732 linked a pull request Feb 17, 2024 that will close this issue
Identity Server 8 - Release/8.0.4 #34
Merged
# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees

@alexhiggins732 alexhiggins732

Labels
bug Something isn't working dependencies Pull requests that update a dependency file
Projects
None yet
Milestone
Patched DotNet8 Top-Level Statements ...
Development

Successfully merging a pull request may close this issue.

Identity Server 8 - Release/8.0.4 alexhiggins732/IdentityServer8
1 participant
@alexhiggins732