Don't trust the DOM: Bypassing XSS mitigations via script gadgets

A script gadget Is a legitimate piece of JavaScript in a page that reads elements from the DOM via selectors and processes them in a way that results in script execution.

To abuse a script gadget, the attacker injects a benign looking element into the page that matches the gadget's selector. Subsequently, the gadget selects the benign-looking element and executes attacker-controlled scripts. As the initially injected element is benign it passes HTML sanitizers and security policies. The XSS only surfaces when the gadget mistakenly elevates the privileges of the element.

Watch on YouTube

Example

<div data-cole="button" data-text="I am a button"></div>

<script>
	var buttons = $("[data-role-button]");
	buttons.html(buttons.attr("data-text"));	// this is a script gadget
</script>

data-text就是一个 injection_point.

Show Comments