The recent DOM-based Cross-Site-Script vulnerability in WordPress
has made me wonder how this could have happened in days where automated static code scanners are even integrated in standard
tools such as Burp Suite (the leading toolkit for web application security testing). In
this blog post I go a little bit into details about the vulnerability and what can be done to catch such a vulnerability.
#The Vulnerability in a nutshell
The vulnerability in the WordPress theme is actually a very trivial one, the source code for the example.html file can
be found in the Git history on GitHub as of 734cf336a9f.
If we take a look at the source code the problem is not too hard to spot for people that are familiar with the peculiarities
of older jQuery versions:
Basically, window.location.hash returns the hash of the URL (for example in example.html#foo it would be foo) and this result
is then used in a call to jQuery('.'+permalink). jQuery itself tends to be a sink and versions before 1.9.0 are happily
generating the vulnerable DOM element even if it starts with a .. To be automatically protected against this specific
sink hole one has to use at least jQuery 1.9.0, since this version this is only exploitable if the string starts with a <.
Though one should obviously be aware that there are still a ton of other sinkholes in jQuery.
#Detecting it statically
As it is with such easily detectable vulnerabilities one would expect that static code analysis would be able to spot these.
And indeed, at least BurpSuite Pro as well as
DominatorPro would have spotted these. So why wasn’t it
found before considering that WordPress is such a widely deployed software?
My take on this is that example.html was an example file and thus not actively linked. Many tools used to do web application
penetration testing are only be able to discover content if it is actively linked. In most scenarios the security analyst
will however be likely be able to get access to the actual sources. In an open-source world scenario this is also often
the case for so called black-box-testing.
I wrote a short Python script (written for Python 2.7) that will search all files of a defined type (defaults to .js and
.html) and serve it using the built-in Python web server. The directory listening is ensuring that all packaged files are
getting properly analyzed.
While there are other existing approaches I don’t
feel to keen to add huge Plugins to Burp and writing a short Python script is way easier than to audit the existing solutions.
The following script can be invoked using the following parameters:
The script can get stopped by pressing CTRL + C and will try to clean-up all created files.
In this example I’m using the Jetpack 3.5.2 version from GitHub,
as it features the vulnerability highlighted in this blog post. You can obviously also run this script over much bigger
One has now to configure Burp Scanner to also perform static code analysis on passive scans, this can be done via:
Static Code Analysis
Enable: “Active and passive scanning”
After this is done the Spider has to be configured to also follow links to non-text content, this can be done via:
Uncheck “Ignore links to non-text content”
As a next step it is required to spider the specified host:
After spidering is done all entries should be black in the site map and not gray anymore. Now the final step is required
by enabling the passive scan of the whole domain:
While some of the results will likely be false positives Burp might also find valid items, in this case Burp was able to
identify the discussed vulnerability on it’s own:
#Mitigations and what it means for ownCloud
As explained in an earlier blog post, Content-Security-Policy
would indeed help to prevent such XSS problems. In this specific case however this was a static served resource and the
CSP header would have to get applied by the web server.
At ownCloud we are thus considering and evaluating adding a Content-Security-Policy header also
for static ressources for one of our upcoming major releases. The progress can be tracked on our GitHub page at issue