Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

[Masthead Search] XSS scripting vulnerability in search

See original GitHub issue

Description

attacker can run js through the search component in masthead

Component(s) impacted

masthead

Browser

No response

Carbon for IBM.com version

1.23.1

Severity

Severity 1 = The design is broken in a critical way that blocks users from completing tasks or damages the brand. Affects major functionality, no workaround.

Application/website

1.23.1

Package

@carbon/ibmdotcom-react

CodeSandbox example

SANDBOX DOES NOT WORK FOR THIS

Steps to reproduce the issue (if applicable)

Steps To Reproduce: 1.Go to https://www.ibm.com/docs/de/search 2. Now put this payload on the search icon "><img src=x onerror=alert(document.cookie)> and hit enter. 3. It will execute the XSS payload in the URL.

Release date (if applicable)

No response

Code of Conduct

I agree to follow this project’s Code of Conduct
I checked the current issues for duplicate issues

Issue Analytics

State:
Created 2 years ago
Comments:7 (4 by maintainers)

Top GitHub Comments

1reaction

jeffchewcommented, Oct 29, 2021

@kyjak IBM Search team handles it the same way as Google Search:

https://www.ibm.com/search?lang=en&cc=us&q="><img src%3Dx onerror%3Dalert(document.cookie)>

The input isn’t sanitized in the client side, but on the application side with the search results. The url can be constructed by any user, whether if malicious or not. The client side still does a encodeURIComponent to the string before redirecting, but we expect the application to do what it needs with the data being passed and not stripped beforehand.

1reaction

jeffchewcommented, Oct 28, 2021

Hi @kyjak ,

This issue will remain closed, we still believe that the inputs need to be sanitized on the application side, as the search field in the Carbon for IBM.com components are nothing more than constructing a redirect url and sending the user there. The redirect url itself can still be constructed and executed without the Masthead, which is still a security risk from the application perspective. Sanitizing on the client-side cannot prevent this, and might introduce other bugs or unknown side effects.

cc: @RobertaJHahn @emyarod @ljcarot

Top Results From Across the Web

How to Find XSS Vulnerability

In this guide, we explain how to find Cross-site scripting (XSS) vulnerability in web applications, including what you can do to prevent it....

Mutation XSS in Google Search

The vulnerability in the Closure library was very difficult to detect. It relied on a rarely used technique called mutation XSS. Mutation XSS...

Cross Site Scripting (XSS) - OWASP Foundation

How to Determine If You Are Vulnerable. XSS flaws can be difficult to identify and remove from a web application. The best way...

XSS on Google Search - Sanitizing HTML in The Client?

An actual XSS on google.com by Masato Kinugawa. It abuses a parsing differential between a JavaScript enabled and disabled context.

What is cross-site scripting | How to prevent an XSS attack

Cross-site scripting —referred to as XSS—is an application vulnerability that ... Automatically find, prioritize and fix vulnerabilities in the open source ...