[pydotorg-www] [Webmaster] Fwd: [PSRT] XSS DOM on python.org

Fri Jan 10 18:30:01 EST 2020

Is this a variable in a template whose value is controlled by (always
untrusted) user-supplied input?

Maybe I've misread the vuln report?
Doesn't this apply to any website? I.e. a person can edit the HTML of any
page with developer tools and add code wherever.

AFAIU, Users can XSS themselves with that approach in all cases.

Is there a suggested remediation (field in the email template)? I.e.
website maintainers with control over the HTML source should — in general —
not add malicious JS, HTML, or CSS.

https://en.wikipedia.org/wiki/Cross-site_scripting

https://en.wikipedia.org/wiki/Self-XSS ? Is there a header or something
that modifies the browser protections against this approach? (Adding code
with DevTools or by Pasting a URL containing JS into the location bar
*should* raise an error; MITM XSS can't be detected because hashes can be
changed or removed (even if signed) without TLS/SSL PKI; and user-supplied
input from form fields or URL parameters should always be appropriately
escaped)

https://cwe.mitre.org/data/definitions/79.html

https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)

 https://www.owasp.org/index.php/Client_Side_Testing

Can someone explain what even a static HTML site can do to limit the impact
of "Self XSS"? Perhaps I've misunderstood the report

On Fri, Jan 10, 2020, 1:12 PM Steve Holden <steve at holdenweb.com> wrote:

> Hey Victor,
>
> I'm sending this reply to pydotorg-www@, since it is they who handle
> updating the web site.
>
> webmaster@ is a common destination for such queries, but all we can do is
> what I've just done in most cases.
>
> Kind regards,
> Steve Holden
>
>
> On Fri, Jan 10, 2020 at 5:03 PM Victor Stinner <vstinner at python.org>
> wrote:
>
>> Hi python.org webmasters,
>>
>> Would you mind mind to have a look? :-)
>>
>> Victor
>>
>> ---------- Forwarded message ---------
>> De : Nikhil1R via PSRT <psrt at python.org>
>> Date: ven. 10 janv. 2020 à 10:18
>> Subject: [PSRT] XSS DOM on python.org
>> To: security at python.org <security at python.org>
>>
>>
>> [*] Summary:
>> XSS DOM on https://www.python.org/
>>
>> [*] Steps To Reproduce:
>>
>> 1.  Open https[://]spotify[.]com/us/
>> 2.  In going to the "Web Developer's" options and going to selecting
>> "Inspector" option.
>> 3.  In inspector options Select the <img class="python-logo"
>> src="/static/img/python-logo.png" alt="python™">
>> 4.  Select it as Edit as HTML from right clicking.
>> 5.  Replace the value in quotes "/static/img/python-logo.png" with the
>> string "><svg onload=alert(1)> .
>> 6.  After that click outside the editing HTML box.
>> 7.  Hence, you will get the alert of XSS(DOM BASED ) being executed.
>>
>> [*] Impact:
>>           Source is controlled by user so they can execute the XSS for
>> dangerous sink.
>>
>> [*] Supporting Material/References:
>>
>>          1. Screenshots attached is .png.
>>          2. Browser: Latest Firefox 71.0(64 bit) for Linux & latest
>> Firefox for windows.
>>          3. OS: Linux,Windows.
>>
>> []Note: I'm only attaching the Screenshot for Linux but this i had
>> also tested on Windows 10.[]
>> -----------------------------
>> Python Security Response Team
>> Unsubscribe:
>> https://mail.python.org/mailman/options/psrt/vstinner%40python.org
>>
>>
>> --
>> Night gathers, and now my watch begins. It shall not end until my death.
>> _______________________________________________
>> Webmaster mailing list
>> Webmaster at python.org
>> https://mail.python.org/mailman/listinfo/webmaster
>>
> _______________________________________________
> pydotorg-www mailing list
> pydotorg-www at python.org
> https://mail.python.org/mailman/listinfo/pydotorg-www
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/pydotorg-www/attachments/20200110/2cc60c0e/attachment.html>