Possible XSS Vulnerability #1114

jamesmehorter · 2017-04-10T15:18:06Z

Type of issue

Possible XSS security vulnerability.

Description

After generating Prebid.js (using gulp), line 376 (in Prebix v0.21.0)

url, width, and height parameters should be added using DOM manipulator functions, otherwise it might be XSS vulnerable

doc.write('<IFRAME SRC="' + url + '" FRAMEBORDER="0" SCROLLING="no" MARGINHEIGHT="0" MARGINWIDTH="0" TOPMARGIN="0" LEFTMARGIN="0" ALLOWTRANSPARENCY="true" WIDTH="' + width + '" HEIGHT="' + height + '"></IFRAME>');

Steps to reproduce

Generate prebid.js using:
gulp serve --adapters /path/to/my/vendors.json

This is my vendors.json

[
    "appnexus",
    "indexExchange",
    "pubmatic",
    "rubicon",
    "sovrn",
    "triplelift",
    "centro",
    "sharethrough",
    {
      "rubicon": {
        "alias": "rubiconLite",
        "supportedMediaTypes": ["video"]
      }
    }
]

Expected results

Any generated HTML should use DOM manipulator functions instead of arbitrarily building a string of HTML, e.g. something like..

var iframe = document.createElement('iframe');
iframe.src = encodeURI(url);
iframe.width = width;
iframe.height = height;
...

Actual results

doc.write('<IFRAME SRC="' + url + '" FRAMEBORDER="0" SCROLLING="no" MARGINHEIGHT="0" MARGINWIDTH="0" TOPMARGIN="0" LEFTMARGIN="0" ALLOWTRANSPARENCY="true" WIDTH="' + width + '" HEIGHT="' + height + '"></IFRAME>');

Platform details

Prebid v0.21.0
Generating with OS X 10.12.4
NPM v3.10.8

Other information

None

The text was updated successfully, but these errors were encountered:

mkendall07 · 2017-04-10T20:28:01Z

@jamesmehorter
Thanks for the issue report. Can you explain how this would get exploited? I assume that in order to do this, the adapter would have to be compromised to pass in and carry the exploit. If so the risk is minimal, but still possible. Is that what you are thinking about? Feel free to submit a PR with the suggested changes.

jamesmehorter · 2017-04-11T13:15:50Z

If for any reason adObject became compromised, the current implementation could potentially let in something like <iframe src="javascript:alert('haxxord');" ...>

That's doubtful, but better safe than sorry. This doc presents it a little better than I can: https://www.mediawiki.org/wiki/DOM-based_XSS

Not sure I'll be able to submit a PR—is that line generated by src/prebid.js:315 ?

mkendall07 · 2017-04-12T18:29:42Z

@jamesmehorter
Yes that's correct - the code is at src/prebid.js:315

…built * 'master' of https://github.com/prebid/Prebid.js: (23 commits) Increment pre version Probed 0.24.0 Release Beachfront adapter - add ad unit size (prebid#1183) Thoughtleadr adapter - fix postMessage (prebid#1207) When prebid server issues a no-bid response, call addBidResponse for every adUnit requested (prebid#1204) Improvement/timeout xhr (prebid#1172) Add native support (prebid#1072) Improvement/alias queue (prebid#1156) Updated documentaion (prebid#1160) Improvement/prebid iframes amp pages (prebid#1119) Fixes prebid#1114 possible xss issue (prebid#1186) Allowed setTargetingForGPTAsync() to target specific ad unit codes. (prebid#1158) updated tag (prebid#1212) Common user-sync (prebid#1144) Rename secureCreatives file and lint (prebid#1203) HIRO Media: Remove batching mechanism and use AJAX instead of JSONP (prebid#1133) Add Support for DigiTrust in Rubicon Adapter (prebid#1201) Upgrade linters to ESLint with stricter code style (prebid#1111) Add dynamic bidfloor parameter to Smart Adserver Adapter (prebid#1194) Bug fix: bids served by secure creatives does not get pushed into _winningBids (prebid#1192) ...

….23.0 to aolgithub-master * commit '136fc37637749a764070c35c03e7e87a5c157947': (33 commits) Added changelog entry. Implemented passing key values feature. Update code to ESlint rules. Prebid 0.24.1 Release tests: drop ie9 browserstack test Audience Network: separate size from format (prebid#1218) Bugfix/target filtering api fix (prebid#1220) Map sponsor request param to endpoint param (prebid#1219) Increment pre version Probed 0.24.0 Release Beachfront adapter - add ad unit size (prebid#1183) Thoughtleadr adapter - fix postMessage (prebid#1207) When prebid server issues a no-bid response, call addBidResponse for every adUnit requested (prebid#1204) Improvement/timeout xhr (prebid#1172) Add native support (prebid#1072) Improvement/alias queue (prebid#1156) Updated documentaion (prebid#1160) Improvement/prebid iframes amp pages (prebid#1119) Fixes prebid#1114 possible xss issue (prebid#1186) Allowed setTargetingForGPTAsync() to target specific ad unit codes. (prebid#1158) ...

jamesmehorter changed the title ~~XSS Vulnerability~~ Possible XSS Vulnerability Apr 10, 2017

mkendall07 added a commit that referenced this issue May 9, 2017

Fixes #1114 possible xss issue

6ab4a58

mkendall07 mentioned this issue May 9, 2017

Fixes #1114 possible xss issue #1186

Merged

1 task

mkendall07 self-assigned this May 9, 2017

mkendall07 added the in progress label May 9, 2017

mkendall07 added a commit that referenced this issue May 18, 2017

Fixes #1114 possible xss issue

1fd74a7

mkendall07 closed this as completed in 18955eb May 18, 2017

ghost removed the in progress label May 18, 2017

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Possible XSS Vulnerability #1114

Possible XSS Vulnerability #1114

jamesmehorter commented Apr 10, 2017

mkendall07 commented Apr 10, 2017

jamesmehorter commented Apr 11, 2017

mkendall07 commented Apr 12, 2017

Possible XSS Vulnerability #1114

Possible XSS Vulnerability #1114

Comments

jamesmehorter commented Apr 10, 2017

Type of issue

Description

Steps to reproduce

Expected results

Actual results

Platform details

Other information

mkendall07 commented Apr 10, 2017

jamesmehorter commented Apr 11, 2017

mkendall07 commented Apr 12, 2017