Skip to content

Docs for get() should specify under what condition it is secure #755

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
davidwagner opened this issue Jun 10, 2015 · 4 comments
Closed

Docs for get() should specify under what condition it is secure #755

davidwagner opened this issue Jun 10, 2015 · 4 comments

Comments

@davidwagner
Copy link

The documentation for get() should mention the conditions under which it causes a XSS vulnerability, and describe what developers need to do to avoid introducing XSS when using get().

In particular, $.get(untrusted_url, function(...) {...}) is unsafe, if untrusted_url comes from an untrusted source (e.g., from the attacker, from another user). There are apparently two problems. First, if the attacker controls evil.com, the attacker can arrange for untrusted_url to hold something like http://evil.com/callback=? and then arrange for evil.com to respond to that request with malicious Javascript. JQuery's JSONP auto-detection will then eval the Javascript found in the response to that request, making the $.get() call a XSS vulnerability. Second, if the attacker controls evil.com, the attacker can arrange for untrusted_url to be any URL under evil.com and then arrange for evil.com to respond to that request with malicious Javascript served with a Content-Type set to something Javascript-like.

This is a foot-gun. It's not clear from the documentation for get() that it can introduce this kind of vulnerability when part or all of the URL can be controlled by the attacker. The documentation for get() has no mention of the fact that it might auto-guess JSONP and eval the response from the server, let alone the conditions under which this happens. It also does not mention that it might eval the response from the server, if its Content-Type is set to make it look like Javascript. The documentation doesn't describe what developers have to do to be safe.

Documenting this more clearly would help developers avoid inadvertent XSS vulnerabilities in their code.

[Is the following still true? I have not verified it, and it might no longer be the only safe way.] Apparently if the URL might be partially or completely under attacker control, the only safe way to fetch JSON from that URL is to use $.ajax(url, {dataType: 'json', jsonp: false});. In particular, it is necessary to set dataType to json and set the jsonp option to false. This fact is not apparent from the documentation -- it should be described in the documentation more clearly. Also there appears to be no way to set this combination of settings with the $.get() method, so when the URL might be under attacker control, it's necessary to use $.ajax().

See http://stackoverflow.com/q/29044209/ for details.

Re-filed from jquery/jquery#2174 per suggestion there. See also #732.
@davidwagner davidwagner mentioned this issue Jun 10, 2015
Closed
@AurelioDeRosa
Copy link
Member

I think this issue and #756 can be merged into one. I see this as a global note included in all Ajax methods pages. // cc @arthurvr @agcolom

@arthurvr
Copy link
Member

I think this issue and #756 can be merged into one. I see this as a global note included in all Ajax methods pages.

👍

@AurelioDeRosa
Copy link
Member

Should I update the other issue and close this one then?

@arthurvr
Copy link
Member

Done.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@AurelioDeRosa @davidwagner @arthurvr