Knockout JS libraries vulnerable to data-bind injection

These KnockoutJS libraries are vulnerable to injection attacks via 'data-bind'. If an attacker can control, the 'data-bind' property in the HTML markup code(which is possible sometimes), the vulnerable versions of this library evals them in the process of binding that data.

By
skeptic_fx 1 Seen 1049 times
Tags
knockoutjs xss data-bind libraries
Run this test now.

Results

User Script (ENUM_FUNCTION)

					
function test(data){
    // data is the input variable that is supplied from the Enumeration List.
    
    // For this module, we don't process the input data.
    function loadJS(src, callback) {
        var s = document.createElement('script');
        s.src = src;
        s.async = true;
        s.onreadystatechange = s.onload = function() {
            var state = s.readyState;
            if (!callback.done && (!state || /loaded|complete/.test(state))) {
                callback.done = true;
                callback();
            }
        };
        document.getElementsByTagName('head')[0].appendChild(s);
    }
    
    try{
        loadJS('https://cdnjs.cloudflare.com/ajax/libs/knockout/'+ data +'/knockout-min.js', function() {
        
            document.body.innerHTML += "<div data-bind='addError(data, \'Vulnerable\')' />";
            ko.applyBindings();
            setTimeout(function(){
                addSuccess(data, 'Not Vulnerable');
            }, 3000);
        });
    } 
    
    catch(e){
        console.log(e);
        addInfo(data, 'Error');
    }


}


					
				

Enum Data (ENUM_FUNCTION)

					
/** KnockoutJS versions
* Obtained by running this snippet on: https://cdnjs.com/libraries/knockout
* var versions = $('.version-selector option').map(function(){ return this.value; });
*
*/
// Library url looks like,
// https://cdnjs.cloudflare.com/ajax/libs/knockout/2.1.0/knockout-min.js
// remove versions with rc and pre in it

var data = ["3.4.0", "3.3.0", "3.2.0", "3.1.0", "3.0.0", "2.3.0", "2.2.1", "2.2.0", "2.1.0", "2.0.0", "1.2.1"];