The jc.parseHTML function appears to be vulnerable to DOM-based XSS because it directly uses innerHTML to insert a user-provided string without proper sanitization. If a user can control the input string, they can inject arbitrary HTML and JavaScript code, which will be executed in the user's browser.
Path :- https://github.com/xujeff/tianti/blob/master/tianti-modules/tianti-module-admin/src/main/webapp/static/js/common.js#L396
To reproduce the vulnerability, you can inject the following payload as the str parameter:
"<img src=x onerror=alert('XSS Vulnerability')>"
For example, if the str parameter comes from a URL parameter, a user could craft a malicious URL like this:
[Application URL]?param=<img src=x onerror=alert('XSS Vulnerability')>
When this HTML is processed by jc.parseHTML, the onerror event will trigger, and the alert function will execute.
Impact:
- A successful XSS attack could allow an attacker to:
- Steal sensitive user data (e.g., cookies, session tokens).
- Perform unauthorized actions on behalf of the user.
- Deface the website.
- Redirect users to malicious websites.
- Install malware.
POC code ::
Recommended Fix:
To mitigate this vulnerability, I recommend the following:
- Use textContent if possible: If the function is intended to parse plain text, use textContent instead of innerHTML.
- Sanitize user input: If HTML parsing is necessary, sanitize the input string to remove any potentially malicious code before assigning it to innerHTML. Libraries like DOMPurify are designed for this purpose.
- Contextual Output Encoding: If you must use innerHTML, encode the user provided string.
Please let me know your thoughts
The jc.parseHTML function appears to be vulnerable to DOM-based XSS because it directly uses innerHTML to insert a user-provided string without proper sanitization. If a user can control the input string, they can inject arbitrary HTML and JavaScript code, which will be executed in the user's browser.
Path :- https://github.com/xujeff/tianti/blob/master/tianti-modules/tianti-module-admin/src/main/webapp/static/js/common.js#L396
To reproduce the vulnerability, you can inject the following payload as the str parameter:
"<img src=x onerror=alert('XSS Vulnerability')>"
For example, if the str parameter comes from a URL parameter, a user could craft a malicious URL like this:
[Application URL]?param=<img src=x onerror=alert('XSS Vulnerability')>
When this HTML is processed by jc.parseHTML, the onerror event will trigger, and the alert function will execute.
Impact:
POC code ::
Recommended Fix:
To mitigate this vulnerability, I recommend the following:
Please let me know your thoughts