Cross-site Scripting (XSS) - DOM in karma-runner/karma
Jan 8th 2022
source is query parameter
return_url and sink is
Proof of Concept
1 Start karma server and visit the following link:
I was about to fix the vulnerability after you validated it. But, it is really good that you fixed the bug yourself.
However, I have a doubt.
The current fix only allows
https protocol in
return_url. This will allow the people to exploit another vulnerability
Open Redirect which means attacker can redirect people to other websites by having them visit
Is this an acceptable risk? It will not be considered as a security vulnerability in the future? or we can plan to resolve that bug as well.
I do not see how
Open Redirect is a vulnerability. Please help me understand.
Open Redirect is usually a low severity vulnerability. It's like people trust
example.com and when they visit
example.com/?url=http://attacker.com, they will get redirected to
attacker.com where attacker might be running a 0-day browser exploit, crypto-miners and other malicious stuff which may cause any type of harm to a user.
What would be your approach to mitigate that vulnerability?
Actually, I have not looked into the code for this redirect use-case.
In order to mitigate
Open Redirect vuln, we should load trusted domains only like
subdomains of location,
a set of trusted domains etc.
I submitted https://github.com/karma-runner/karma/pull/3759 to mitigate that :)