Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Bug report: DOM XSS in web worker via jsonpath-plus #1926

Open
nickcopi opened this issue Oct 17, 2024 · 0 comments
Open

Bug report: DOM XSS in web worker via jsonpath-plus #1926

nickcopi opened this issue Oct 17, 2024 · 0 comments
Labels

Comments

@nickcopi
Copy link

Describe the bug
XSS is possible in CyberChef via jsonpath-plus jpath evaluations. After working with Google to fix a case where they had similar exposure, they were able to motivate the maintainer to return to the library after announcing he was leaving in February and release a patch to prevent this.

To Reproduce
Steps to reproduce the behavior or a link to the recipe / input used to cause the bug:

  1. Go to https://gchq.github.io/CyberChef/#recipe=JPath_expression('$.entry%5B?((%5C'%5C'.sub.constructor(%5C'console.log%601337%60%5C')()))%5D.resource.class.code','%5C%5Cn')&input=eyJlbnRyeSI6W3sicmVzb3VyY2UiOnsicmVzb3VyY2VUeXBlIjoiYmxhaCJ9fV19&ieol=CRLF
  2. Open chrome devtools and observe that console.log`1337` executed in the context of the web worker.

Expected behaviour
Untrusted user JSON paths should not lead to arbitrary JS evaluation. Bump up to the jsonpath-plus version to the patched version.

Screenshots
image

Desktop (if relevant, please complete the following information):

  • OS: Windows 10
  • Browser: 5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/129.0.6668.71 Safari/537.36
  • CyberChef version: Version 10.19.2

Additional context
Add any other context about the problem here.

@nickcopi nickcopi added the bug label Oct 17, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

1 participant