Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

DOM element with a name='currentScript' attribute can hijack document.currentScript.src #1315

Closed
juj opened this issue Oct 8, 2024 · 2 comments
Closed

DOM element with a name='currentScript' attribute can hijack document.currentScript.src #1315

juj opened this issue Oct 8, 2024 · 2 comments

Comments

@juj
Copy link

juj commented Oct 8, 2024
edited
Loading

What is the issue with the DOM Standard?

Consider the following page:

<html><body>
<img name='currentScript' src='http://google.com/foo.js'>
<script>
console.log(document.currentScript.src);
</script></body></html>

This will print 'http://google.com/foo.js' instead of printing whatever script file is currently being executed on the web server's domain.

If an attacker is able to inject DOM elements into a web page with custom name attributes of the attacker's choosing (due to some pre-existing security flaw on the site), then with this <img name='currentScript'> trick they can potentially escalate their attack power to a higher tier XSS security flaw.

Searching the web, there are several CVE advisories about this trick being used to elevate an attacker's threat area in different projects:
https://vulert.com/vuln-db/CVE-2024-45389
GHSA-gcx4-mw62-g8wm
https://nvd.nist.gov/vuln/detail/CVE-2024-45812
GHSA-4vvj-4cpr-p986

Surely web browsers should just plug this threat vector altogether, and not allow any DOM element name='' attribute overwrite any element name (e.g. 'body', 'head', 'elements', 'URL', 'addEventListener', 'removeEventListener', etc...) on document that has a prereserved meaning in the DOM spec?

For example, it was recently reported to Emscripten project that Emscripten should not be accessing document.currentScript.src "bare" since it could be attacked via this way, but instead always only access it on the condition that document.currentScript.tagName == 'SCRIPT'.

It feels a bit nonsensical and misplaced to have to account for this problem in Emscripten since surely nobody should be allowed to have <foo name='currentScript'> replace document.currentScript - there are no good legitimate uses of that for anyone?

Also, in addition to the document.currentScript functionality, even if developers sanitize that hole, an attacker could cause denial of service style problems to web pages by injecting an element like <img name='addEventListener'> to cause site code to break.

Can the DOM spec enforce a guarantee that built-in attributes cannot be replaced in this manner? That way web developers would not need to think about this kind of threat vector elevation attacks downstream, and this whole class of CVEs like have been reported above would be impossible?
@juj juj mentioned this issue Oct 8, 2024
Open
@WebReflection

This comment was marked as off-topic.

Sign in to view
@annevk
Copy link
Member

annevk commented Oct 8, 2024

Named getters for Document and Window are defined by the HTML Standard. Duplicating this into whatwg/html#2212.

@annevk annevk closed this as not planned Won't fix, can't repro, duplicate, stale Oct 8, 2024
@WebReflection WebReflection mentioned this issue Oct 8, 2024
Open
@juj juj mentioned this issue Oct 8, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@WebReflection @juj @annevk