Electric-Shop DOM-Based Cross-Site Scripting Vulnerability

A DOM-based cross-site scripting vulnerability has been identified in Electric-Shop version 1.0, a project hosted on GitHub. This vulnerability allows for arbitrary execution of JavaScript in the context of the user's browser under the Electric-Shop origin. The issue arises because the site's client-side JavaScript improperly handles user input from the URL or page fragment, injecting it into the DOM using unsafe methods like innerHTML, insertAdjacentHTML, and document.write, without adequate sanitization or context-aware encoding.

Impact

Exploitation of this vulnerability allows for arbitrary JavaScript execution in the victim's browser. This could lead to theft of session tokens or credentials, account takeover, and privilege abuse. Additionally, it could facilitate persistent client-side pivot attacks.

Reproduction

To reproduce this vulnerability, craft a URL that includes a payload such as an image tag (with an invalid image source) using an event handler, such as 'onerror'. When this URL is opened, the injected JavaScript will execute in the context of the Electric-Shop origin.

Remediation

To address this vulnerability, remove unsafe DOM sinks such as innerHTML, insertAdjacentHTML, and document.write. Instead, use safe DOM APIs like textContent and setAttribute. It's also important to sanitize untrusted client-side input and apply a strict Content Security Policy.