Skip to content

Security Fix for Cross-site Scripting (XSS) - huntr.dev #18

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 7 commits into
base: master
Choose a base branch
from
Open

Security Fix for Cross-site Scripting (XSS) - huntr.dev #18

wants to merge 7 commits into from

Conversation

huntr-helper
Copy link

https://huntr.dev/users/d3v53c has fixed the Cross-site Scripting (XSS) vulnerability 🔨. Think you could fix a vulnerability like this?

Get involved at https://huntr.dev/

Q | A
Version Affected | ALL
Bug Fix | YES
Original Pull Request | 418sec#1
Vulnerability README | https://github.com/418sec/huntr/blob/master/bounties/npm/react-frappe-charts/1/README.md

User Comments:

📊 Metadata *

react-frappe-charts is vulnerable to Cross-Site Scripting (XSS).

Bounty URL: https://www.huntr.dev/bounties/1-npm-react-frappe-charts

⚙️ Description *

Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. Flaws that allow these attacks to succeed are quite widespread and occur anywhere a web application uses input from a user within the output it generates without validating or encoding it.

💻 Technical Description *

Cross-Site Scripting (XSS) attacks are mitigated by sanitizing the user inputs before rendering, thereby preventing malicious execution.

🐛 Proof of Concept (PoC) *

Create a sandbox using "React" https://codesandbox.io/s
Edit the data in the file App.js with the following code

//App.js
import React, { useRef } from "react";
import ReactFrappeChart from "react-frappe-charts";

export default function MyChart(props) {
  const chartRef = useRef();

  const exportChart = () => {
    if (chartRef && chartRef.current) {
      chartRef.current.export();
    }
  };

  return (
    <div>
      <ReactFrappeChart
        ref={chartRef}
        type="bar"
        colors={["#21ba45"]}
        axisOptions={{ xAxisMode: "tick", yAxisMode: "tick", xIsSeries: 1 }}
        height={250}
        data=
          labels: ["Sun", "Mon'><img src=x onerror=alert(1)>", "Tue", "Wed", "Thu", "Fri", "Sat", "Sun"],
          datasets: [{ values: [18, 60, 30, 35, 8, 52, 17, 4] }],
      />
      <button onClick={exportChart} type="button">
        Export
      </button>
    </div>
  );
}

And add the appropriate dependencies
XSS payload will get executed.

🔥 Proof of Fix (PoF) *

Before:

image

After:

xss-fix-dompurify-after

👍 User Acceptance Testing (UAT)

After the fix, functionality is unaffected.

gilangmlr
gilangmlr suggested changes Mar 13, 2021
View reviewed changes
JamieSlome and others added 2 commits March 13, 2021 14:00
@JamieSlome @gilangmlr
Update src/index.tsx
f8e25f1 
Co-authored-by: Gilang Gumilar <gilangmlr@gmail.com>
@JamieSlome @gilangmlr
Update src/index.tsx
8451f90 
Co-authored-by: Gilang Gumilar <gilangmlr@gmail.com>
@JamieSlome
Copy link

@gilangmlr - sorted! 🍰

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@gilangmlr gilangmlr gilangmlr requested changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@huntr-helper @JamieSlome @gilangmlr @d3v53c