Cross-site Scripting (XSS) - DOM in karma-runner/karma
Reported on
Jan 8th 2022
Description
DOM-based XSS is a vulnerability in which the attacker can inject arbitrary javascript code in any DOM sink that supports dynamic code execution. In our case, source is query parameter return_url and sink is location.href.
Proof of Concept
1 Start karma server and visit the following link:
http://localhost:9876/?return_url=javascript:alert(document.domain)
Impact
The attacker can execute malicious javascript code in victim's browser like run crypto miners, exploit 0-day remote code execution bugs in browser etc.
SECURITY.md
a year ago
Hi,
I was about to fix the vulnerability after you validated it. But, it is really good that you fixed the bug yourself.
However, I have a doubt.
The current fix only allows http and https protocol in return_url. This will allow the people to exploit another vulnerability Open Redirect which means attacker can redirect people to other websites by having them visit http://localhost:9876/?return_url=https://example.com
Is this an acceptable risk? It will not be considered as a security vulnerability in the future? or we can plan to resolve that bug as well.
I do not see how Open Redirect is a vulnerability. Please help me understand.
Open Redirect is usually a low severity vulnerability. It's like people trust example.com and when they visit example.com/?url=http://attacker.com, they will get redirected to attacker.com where attacker might be running a 0-day browser exploit, crypto-miners and other malicious stuff which may cause any type of harm to a user.
What would be your approach to mitigate that vulnerability?
Actually, I have not looked into the code for this redirect use-case.
In order to mitigate Open Redirect vuln, we should load trusted domains only like subdomains of location, a set of trusted domains etc.
I submitted https://github.com/karma-runner/karma/pull/3759 to mitigate that :)