Report, patch, repeat

Universal cross-site scripting vulnerability in Safari WebKit

Google’s Project Zero has announced another universal cross-site scripting (UXSS) vulnerability in WebKit, the popular browser engine.

The bug, which has since been patched, could have allowed an attacker to execute JavaScript from one domain to another in software using WebKit, a core component in Apple products like Safari.

This is due to the way in which WebKit replaces a current document with a new one, permitting a malicious actor to send an attack string in the form of a JavaScript URL to access the cross-domain object.

“The method calls DocumentWriter::begin, which might trigger JavaScript execution, and then sends data to the parser of the active document,” Project Zero’s Sergei Glazunov wrote in a bug report.

“If an attacker can perform another page load right before returning from begin, the method will append an attacker-controlled string to a potentially cross-origin document.”

An <iframe> is used to point to a JavaScript URL to a victim’s page.

“The attack won't work if the cross-origin document has no active parser by the time begin returns,” Glazunov added.

“The easiest way to reproduce the bug is to call document.write from the victim page when the main parsing task is complete.”

The critical vulnerability was disclosed to Apple on June 12, following an earlier UXSS bug in WebKit, reported on June 4.

This previous issue arose from the way WebKit deletes cross-domain objects when a page is loaded, also allowing for an attacker to execute JavaScript from one domain to another.

Both issues should have been resolved with an automatic security update. Users should ensure that their Apple operating systems are up to date and running the latest version of Safari.

YOU MAY ALSO LIKE Conjuring magic with XSS at Global AppSec 2019