1

I know this is vulnerable as a hacker could embed an image that visits the site URL and do all sorts with the 'message' parameter:

<script>
var message = // get message parameter from URL, e.g domain.com?message=hello+there
document.write('Your message: ' + message);
</script>

...but is there any way a hacker could do anything with this (on its own without any other JS)?:

<script>
function displayMessage(message) {
  document.write(message);
}
</script>

Obviously I could open a console in a browser and type anything in, but could a hacker invoke a JavaScript method somehow (with this code alone)?

I know the method could be invoked if the website also had the code at the very top, but can a method be invoked on its own?

Btw. I'm not exactly looking to do the above, it just helps me understand this.

What have I tried?

user2143356
  • 5,467
  • 19
  • 51
  • 95
  • 6
    All you have done is wrap it in a function, yes it is still vulnerable – Ian Jan 23 '16 at 00:23
  • 1
    What does "get message parameter from URL" mean? Do you mean `message` is an untrusted string which could contain whatever malicious code? – Oriol Jan 23 '16 at 00:28
  • I'm just wondering, what will the domain be, if `document.write` was called after the page has been parsed? It will open a new document, but is the original domain kept alive? – Teemu Jan 23 '16 at 00:31
  • @Ian - thanks for commenting. The first one gets a parameter from the URL and the second one receives a parameter in the method call. I haven't just wrapped it in a function. What I need to know is how could the second one be invoked? I don't think an attacker could just embed an image with my website URL in (like the first one), so what would they need to do? – user2143356 Jan 23 '16 at 00:31
  • As for "get message parameter from URL" I mean this: http://stackoverflow.com/questions/979975/how-to-get-the-value-from-the-url-parameter (e.g. domain.com?message=hello+there) – user2143356 Jan 23 '16 at 00:32
  • You'll still need to show *how* you "get message parameter from URL". Show the *actual* code. It's not possible to say if this is vulnerable to XSS or not. In theory it can be, and it might not be, but it depends on the actual implementation. – JJJ Jan 23 '16 at 00:38
  • @Juhana - thanks for reading and commenting. My question is about the second example (which doesn't get the message parameter from the URL). All the code is there. – user2143356 Jan 23 '16 at 00:39
  • 1
    It's not enough. How do you call that function? Where does `message` come from? – JJJ Jan 23 '16 at 00:39
  • But that's my question. Can a hacker call that function? – user2143356 Jan 23 '16 at 00:40
  • @Juhana In the code snippet there's a comment: "get message parameter from URL, e.g domain.com?message=hello+there". – Teemu Jan 23 '16 at 00:41

1 Answers1

3

In the first code, message is an untrusted string which can contain malicious code. Parsing it as HTML may execute that code:

var message = '<img src="//" onerror="alert(\'You are pwned!\')" />';
document.write('Your message: ' + message);

The second code is different. It's just a function, it doesn't run anything by itself.

Of course, if you call it with an untrusted string, you will have the same problem than in the first one. Therefore, don't do that.

However, attackers can't call arbitrary functions. Well, if they can, it means you are already pwned, so it doesn't matter anymore. I mean, if an attacker has gained enough "privileges" to be able to call displayMessage, why bother calling it instead of calling document.write (or whatever) directly?

Oriol
  • 274,082
  • 63
  • 437
  • 513
  • Thanks. Maybe this question was too obvious, but I just wanted to be certain of my understanding. The question sounded clear to me, but I think a few people didn't understand it. I will read through my question again and consider if I can improve on how I construct them in the future. – user2143356 Jan 23 '16 at 00:49