Skip to content

Instantly share code, notes, and snippets.

Last active February 8, 2023 16:12
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
Star You must be signed in to star a gist
What would you like to do?
CVE-2021-36713 Publication

Cross-Site Scripting (XSS) Vulnerability


DataTables is a table enhancing plug-in for the jQuery Javascript library, adding sorting, paging and filtering abilities to plain HTML tables with minimal effort.

This vulnerability was found during a penetration testing assessment and the website used the Datatables library.


If a website developer exposed the parameter sBaseName from the function _fnCreateCookie of the DataTables library then a malicious user could execute Javascript code through it.

Vulnerability path:

_fnCreateCookie ( sName, sValue, iSecs, sBaseName, fnCallback )

var aCookies =document.cookie.split(';');

var aSplitCookie = aCookies[i].split('=');

try { oData = eval( '('+decodeURIComponent(aSplitCookie[1])+')' ); }

Affected target

This vulnerability was found on version 1.9.2

With the following vulnerable function _fnCreateCookie

Proof of Concept (PoC)

  • Surf to this URL:
  • Add a cookie with the name "XSS" and let its value be "alert(6)" (The vulnerability will occur if the sBaseName is exposed)
  • Demonstrate the use of this library go to the console tab from the developer tools paste the below code and run it, and an alert dialog will appear

below is a code snippet from line 4405 until line 4423

var sBaseName = 'XSS' //if this variable is exposed then the website will be vulnerable to XSS
var aCookies =document.cookie.split(';');
for ( var i=0, iLen=aCookies.length ; i<iLen ; i++ )
                    if ( aCookies[i].indexOf( sBaseName ) != -1 )
                        /* It's a DataTables cookie, so eval it and check the time stamp */
                        var aSplitCookie = aCookies[i].split('=');
                        try { oData = eval( '('+decodeURIComponent(aSplitCookie[1])+')' ); } //Vulnerable sink
                        catch( e ) { continue; }
                        if ( oData.iCreate && oData.iCreate < iOldTime )
                            sOldName = aSplitCookie[0];
                            iOldTime = oData.iCreate;


Waleed Ibrahim Alhajri

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment