Skip to content

Security Fix for Cross-site Scripting (XSS) - huntr.dev#18

Open
huntr-helper wants to merge 7 commits into
sheshbabu:masterfrom
418sec:1-npm-react-frappe-charts
Open

Security Fix for Cross-site Scripting (XSS) - huntr.dev#18
huntr-helper wants to merge 7 commits into
sheshbabu:masterfrom
418sec:1-npm-react-frappe-charts

Conversation

@huntr-helper

@huntr-helper huntr-helper commented Jan 19, 2021

Copy link
Copy Markdown

https://huntr.dev/users/d3v53c has fixed the Cross-site Scripting (XSS) vulnerability 🔨. Think you could fix a vulnerability like this?

Get involved at https://huntr.dev/

Q | A
Version Affected | ALL
Bug Fix | YES
Original Pull Request | 418sec#1
Vulnerability README | https://github.com/418sec/huntr/blob/master/bounties/npm/react-frappe-charts/1/README.md

User Comments:

📊 Metadata *

react-frappe-charts is vulnerable to Cross-Site Scripting (XSS).

Bounty URL: https://www.huntr.dev/bounties/1-npm-react-frappe-charts

⚙️ Description *

Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. Flaws that allow these attacks to succeed are quite widespread and occur anywhere a web application uses input from a user within the output it generates without validating or encoding it.

💻 Technical Description *

Cross-Site Scripting (XSS) attacks are mitigated by sanitizing the user inputs before rendering, thereby preventing malicious execution.

🐛 Proof of Concept (PoC) *

Create a sandbox using "React" https://codesandbox.io/s
Edit the data in the file App.js with the following code

//App.js
import React, { useRef } from "react";
import ReactFrappeChart from "react-frappe-charts";

export default function MyChart(props) {
  const chartRef = useRef();

  const exportChart = () => {
    if (chartRef && chartRef.current) {
      chartRef.current.export();
    }
  };

  return (
    <div>
      <ReactFrappeChart
        ref={chartRef}
        type="bar"
        colors={["#21ba45"]}
        axisOptions={{ xAxisMode: "tick", yAxisMode: "tick", xIsSeries: 1 }}
        height={250}
        data=
          labels: ["Sun", "Mon'><img src=x onerror=alert(1)>", "Tue", "Wed", "Thu", "Fri", "Sat", "Sun"],
          datasets: [{ values: [18, 60, 30, 35, 8, 52, 17, 4] }],
      />
      <button onClick={exportChart} type="button">
        Export
      </button>
    </div>
  );
}

And add the appropriate dependencies
XSS payload will get executed.

🔥 Proof of Fix (PoF) *

Before:

image

After:

xss-fix-dompurify-after

👍 User Acceptance Testing (UAT)

After the fix, functionality is unaffected.

gilangmlr
gilangmlr suggested changes Mar 13, 2021
View reviewed changes
Comment thread src/index.tsx Outdated
Comment thread src/index.tsx Outdated
JamieSlome and others added 2 commits March 13, 2021 14:00
@JamieSlome @gilangmlr
Update src/index.tsx
f8e25f1 
Co-authored-by: Gilang Gumilar <gilangmlr@gmail.com>
@JamieSlome @gilangmlr
Update src/index.tsx
8451f90 
Co-authored-by: Gilang Gumilar <gilangmlr@gmail.com>
@JamieSlome

JamieSlome commented Mar 13, 2021

Copy link
Copy Markdown

@gilangmlr - sorted! 🍰

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@gilangmlr gilangmlr gilangmlr requested changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@huntr-helper @JamieSlome @gilangmlr @d3v53c