Confirmed users
353
edits
Security/Reviews/Gaia/costcontrol: Difference between revisions
Security/Reviews/Gaia/costcontrol (view source)
Revision as of 16:08, 25 September 2013
, 25 September 2013→1. XSS & HTML Injection attacks
| Line 68: | Line 68: | ||
====1. XSS & HTML Injection attacks==== | ====1. XSS & HTML Injection attacks==== | ||
=====Suspicious but OK===== | |||
X. ~/work/code/gaia/apps/costcontrol/js/view_manager.js:111 - panel.innerHTML = panel.childNodes[i].nodeValue; | |||
-inside _loadPanel, which is a function assigned to loadPanel | |||
-loadPanel is used inside changeViewTo | |||
-loadPanel is passed a 'panel' that is an HTML element in the page fetched by getElementById() | |||
-it appears if the HTML element panel.childNodes[i].nodeVlaue is malicious, XSS is possible | |||
-Specifically, changeViewTo('datausage-tab') is called, so if 'datausage-tab' | |||
X. ~/work/code/B2G/gaia/apps/costcontrol/js/view_manager.js:138 - var script = document.createElement('script'); | |||
- Used to activate scripts | |||
- grabs a bunch of scripts (from where?) and then builds script tags with the sources. | |||
- can we contaminate the name of a script file defined in the src to something malicious | |||
Suspected-but-Not | |||
1. ~/work/code/gaia/apps/costcontrol/js/settings/settings.js:131 - src.innerHTML = xhr.responseText; | |||
-> XHR is fetching /debug.html which has no variable data | |||
2. ~/work/code/B2G/gaia/apps/costcontrol/js/fte.js:121 - if (window.location.hash) { | |||
- Does JS do inlining? If so, wouldn't a hash of alert(1) fire in that context? | |||
- "There is no implicit inling in JS" - dchan | |||
====2. Secure Communications ==== | ====2. Secure Communications ==== | ||