Understanding DOM XSS and How it is Possible
This page is taking input from an untrusted source, and directly outputs it in the browser as HTML.
In this case, the untrusted source is window.name
. To the inexperienced programmer, this may seem harmless, but in reality, it can be set to any arbitrary value, because it’s derived from the name of the frame:
<iframe
src="http://www.domxss.com/domxss/01_Basics/05_jquery_html.html?681973661#message"
name="<script>alert(0)</script>"
></iframe>
In the code you’ve given, there’s another glaring hole: The selector is also taken from an untrusted source (the URL), which allows attackers to output the HTML in whatever place they desire. This doesn’t need to be a frame, just visit the following URL:
http://www.domxss.com/domxss/01_Basics/05_jquery_html.html?681973661#whatever],body,[whatever
t
is set to "whatever],body,[whatever"
(from location.hash
), and is used to construct a jQuery selector ("div[id="+t+"]"
). Together, it results in a selector that selects (e.g.) the <body>
element:
"div[id=whatever],body,[whatever]"
Though not as harmful as window.name
, it might be worth fixing.