jsprime icon indicating copy to clipboard operation
jsprime copied to clipboard

Published 20 hours ago verified publisher icon dpnishant

JS Prime not finding the XSS vulnerability

Open 12shivaniaggarwal opened this issue 7 years ago • 1 comments

document.write("hello" + document.location.href.substring(8) + "bye");

This is a very common example of XSS vulnerability and JS Prime is not able to detect it, any workaround for it?

12shivaniaggarwal avatar Jul 06 '17 07:07 12shivaniaggarwal

Here document.write("hello" + document.location.href.substring(8) + "bye"); gets assigned as below

Function Name: [] Function call: [{"name":"document.write","line":1,"startScope":1,"endScope":1,"arguments":{"variables":[],"functions":[],"literals":[]},"returns":{"variables":[],"literals":[],"functions":[]}},{"name":"document.location.href.substring","line":1,"startScope":1,"endScope":1,"arguments":{"variables":["#CONSTANT_VAL#"],"functions":[],"literals":[8]},"returns":{"variables":[],"literals":[],"functions":[]}}] Constant Variable value: [] Dynamic Variable value: [] Object Variable value: []

In the asignFunctionReturnValue() function it was with respect to the case 1 : real_variable_var and real_func_names where real_variable_var.length: 0 real_func_names.length: 0

case2 : real_func_call and real_func_names where real_func_names.length: 0

Thats why xss couldnt be found. At engine.analyze() , due to the presense of operator + the whole expression is regarded as "BinaryExpression" this is how the data of node passed as parameter:

{"type":"BinaryExpression","operator":"+","left":{"type":"CallExpression","callee":{"type":"MemberExpression","computed":false,"object":{"type":"MemberExpression","computed":false,"object":{"type":"MemberExpression","computed":false,"object":{"type":"Identifier","name":"document","loc":{"start":{"line":1,"column":16},"end":{"line":1,"column":24}}},"property":{"type":"Identifier","name":"location","loc":{"start":{"line":1,"column":25},"end":{"line":1,"column":33}}},"loc":{"start":{"line":1,"column":16},"end":{"line":1,"column":33}}},"property":{"type":"Identifier","name":"href","loc":{"start":{"line":1,"column":34},"end":{"line":1,"column":38}}},"loc":{"start":{"line":1,"column":16},"end":{"line":1,"column":38}}},"property":{"type":"Identifier","name":"substring","loc":{"start":{"line":1,"column":39},"end":{"line":1,"column":48}}},"loc":{"start":{"line":1,"column":16},"end":{"line":1,"column":48}}},"arguments":[{"type":"Literal","value":8,"raw":"8","loc":{"start":{"line":1,"column":49},"end":{"line":1,"column":50}}}],"loc":{"start":{"line":1,"column":16},"end":{"line":1,"column":51}}},"right":{"type":"Literal","value":"bye","raw":""bye"","loc":{"start":{"line":1,"column":52},"end":{"line":1,"column":57}}},"loc":{"start":{"line":1,"column":16},"end":{"line":1,"column":57}}}

In engine.js at getFunction() method in the flow else if(node.type === 'CallExpression') -> while(node6.type == "BinaryExpression") node5.type == "CallExpression" condition is missing Once if it is handled at node6.left and node6.right we can identify XSS

screen shot 2018-12-28 at 3 37 43 pm

TejaswiniU avatar Dec 27 '18 06:12 TejaswiniU