Sep 5, 2019

DOM Based XSS in Private Program

Advertisement


--------------------------------------------------------------------------

Domain : redacted.com
Target : blog.redacted.com
Program : Private on HackerOne
Bounty : 500$

--------------------------------------------------------------------------
DOM Based XSS in Blog.redacted.com

PrettyPhoto is widely used in various WordPress themes and plugins. 
XSS was  in the setTimeout function in js/jquery.prettyPhoto.js in prettyPhoto 3.1.4 and earlier allows remote attackers to inject arbitrary web script or HTML via a crafted PATH_INTO to the default URI. 

--------------------------------------------------------------------------
Poc was
http://blog.redacted.com/#prettyPhoto[gallery]/1,<a%20onclick="document.write(document.cookie);">/



--------------------------------------------------------------------------
How to Fix
PrettyPhoto DOM Based XSS
You can fix the DOM based XSS in prettyPhoto by opening up jquery.prettyPhoto.js in your favorite editor. 
Scroll to line 876 and add the lines:

// xss prevention
hashIndex = parseInt(hashIndex);
hashRel = hashRel.replace(/([ #;&,.+*~\':"!^$[\]()=>|\/])/g,'\\$1');
At least versions 3.1.4 and 3.1.5 of prettyPhoto, depending on your download source, are vulnerable to this DOM based XSS. As always, test such code fixes first before putting it in production!


Share This
Latest
Next Post

Security Researcher at Many Websites - Bug Hunter - Civil Engineer Student

0 comments: