DataTables is a table enhancing plug-in for the jQuery Javascript library, adding sorting, paging and filtering abilities to plain HTML tables with minimal effort.
This vulnerability was found during a penetration testing assessment and the website used the Datatables library.
If a website developer exposed the parameter sBaseName from the function _fnCreateCookie of the DataTables library then a malicious user could execute Javascript code through it.
Vulnerability path:
_fnCreateCookie ( sName, sValue, iSecs, sBaseName, fnCallback )
↓
var aCookies =document.cookie.split(';');
↓
var aSplitCookie = aCookies[i].split('=');
↓
try { oData = eval( '('+decodeURIComponent(aSplitCookie[1])+')' ); }
This vulnerability was found on version 1.9.2
With the following vulnerable function _fnCreateCookie
- Surf to this URL: https://cdn.datatables.net/1.9.2/js/jquery.dataTables.js
- Add a cookie with the name "XSS" and let its value be "alert(6)" (The vulnerability will occur if the sBaseName is exposed)
- Demonstrate the use of this library go to the console tab from the developer tools paste the below code and run it, and an alert dialog will appear
below is a code snippet from line 4405 until line 4423
var sBaseName = 'XSS' //if this variable is exposed then the website will be vulnerable to XSS
var aCookies =document.cookie.split(';');
for ( var i=0, iLen=aCookies.length ; i<iLen ; i++ )
{
console.log(aCookies[i].indexOf(sBaseName))
if ( aCookies[i].indexOf( sBaseName ) != -1 )
{
/* It's a DataTables cookie, so eval it and check the time stamp */
var aSplitCookie = aCookies[i].split('=');
try { oData = eval( '('+decodeURIComponent(aSplitCookie[1])+')' ); } //Vulnerable sink
catch( e ) { continue; }
if ( oData.iCreate && oData.iCreate < iOldTime )
{
sOldName = aSplitCookie[0];
iOldTime = oData.iCreate;
}
}
}
Waleed Ibrahim Alhajri