Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Where you should disclose your vulnerabilities. Go read RFPolicy if you want to do responsible disclosure, and go here for when all else fails. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
stored XSS in YUI datatable
Posted by: landijk
Date: May 24, 2010 01:21PM

YUI is a Javascript widget library developed by Yahoo!. Their table widget, called DataTable, by default renders data as HTML fragments. The default formatter for rendering table cells is below:

____formatDefault : function(el, oRecord, oColumn, oData) {
______el.innerHTML = oData === undefined ||
__________oData === null ||
__________(typeof oData === 'number' && isNaN(oData)) ?
________" " : oData.toString();
____},

The function takes 4 parameters:

el -- the cell where data is to be written
oRecord -- the data "record"
oColumn -- the table column name
oData -- the actual data to be put in the cell

Note that all it does is set the cell's innerHTML. Hence obviously if the data source contains HTML markup strings, those will be rendered live. I'm calling this "stored XSS", even though some people might call vulnerabilities involving innerHTML "DOM injection" or something else. In any case, all the action is on the client side, and the data is coming from the server via XHR.

There are similar vulnerabilities in other YUI widgets.

My questions to the group:

1. How would you respond if the YUI people argued that it is up to the application developer to worry about XSS, and it is fine for the default formatter to be unsafe?

2. How should the safe implementation work (assuming you want to support arbitrary text strings)? Options are:

* use createTextNode
* use textContent/innerText
* use innerHTML, replacing <, >, and & with HTML entities
* something else?

I want to file a bug, but based on my experience with YUI developers so far, I think I'm going to run into a lot of pushback. It would be helpful if other people looked at this issue and chimed in. If people agree I should go ahead, I will cite this thread in the bug report. Thanks!

Options: ReplyQuote
Re: stored XSS in YUI datatable
Posted by: PaPPy
Date: May 24, 2010 04:24PM

if you rely on scripts and they are vulnerable it is on the server.
if you dont sanitize user inputs, in the first place, its on server.

if you not using noscript thats on the user

http://www.xssed.com/archive/author=PaPPy/

Options: ReplyQuote
Re: stored XSS in YUI datatable
Posted by: zohaa
Date: October 15, 2014 11:44PM

Nice. Folks tend to forget that it's all about stacking attacks. With a bit of social engineering & phishing this might come in handy since they allow registration, you can capture login credentials and try the victims GMail account next to see if they are password re-users. (most likely). Or even better: if they have checked "remember my login credentials" in their browsers, you can just submit a button with CSRF and capture everything.

Unlike scam VCP550 latest dumps dumps and Aruba dumps training program, our best Harvard University and wikipedia online training courses.

Options: ReplyQuote
Re: stored XSS in YUI datatable
Posted by: sla_admin
Date: October 16, 2014 02:19PM

You're completely right Zohhaa, but I find it sad that the post you responded to is almost 5 years old and still super relevant.

PaPPy is of course right on, as always.

Options: ReplyQuote


Sorry, only registered users may post in this forum.