CVE-2024-26468 - DOM-based XSS in jstrieb/urlpages index.html (Full Analysis, Code & Exploit Example)

CVE-2024-26468 uncovers a DOM-based Cross-Site Scripting (XSS) in the index.html component of jstrieb/urlpages before commit 035b647. This high-severity flaw lets attackers inject and execute malicious JavaScript in the browser via a specially crafted URL—leading to potential session hijacking and other attacks.

In this article, we break down the vulnerability, show proof-of-concept (PoC) exploit, talk about its impact, and cite the original code and references. You don’t need to be an expert—we keep the language straightforward.

What is DOM-based XSS & Why It Matters

A DOM-based XSS happens when the client-side JavaScript modifies the page based on user-controlled input, such as query parameters, without properly escaping or sanitizing it.

Deface UI or redirect users

## Overview of jstrieb/urlpages

jstrieb/urlpages is a clever project that encodes entire web pages inside their URL, so it works offline with just a bookmark. Its main page, index.html, grabs parameters from the URL and decodes them to present content.

Due to a missing sanitization step, attackers can inject arbitrary code that the browser will run—simply by tricking a user into visiting a malicious URL.

The Flawed Code

Before commit 035b647, the main file (index.html) handled user input (usually in the hash or query parameters) like this:

// Hypothetical vulnerable code in index.html
const urlPageContent = decodeURIComponent(window.location.hash.substr(1));
document.open();
document.write(urlPageContent);
document.close();

Directly injects it into the page's DOM

If someone adds script tags or event handlers, they'll be executed by the browser.

Exploiting CVE-2024-26468

Attackers exploit this by crafting a malicious URL and sending it via email, chat, or social media. When a user opens it, their browser runs whatever JavaScript is injected.

Example Exploit URL

Let's say the application is deployed at:
https://jstrieb.github.io/urlpages/

An attacker can send this link

https://jstrieb.github.io/urlpages/#<img%20src=x%20onerror=alert(document.domain)>

The string after # is decoded to: <img src=x onerror=alert(document.domain)>

- This is written into the DOM, causing alert(document.domain) to pop up. In real attacks, this could be much more malicious (e.g., stealing data).

Paste this into your browser's address bar (assuming you're using a vulnerable version)

https://jstrieb.github.io/urlpages/#<script>alert('XSS!')</script>

You should see an alert pop up. That means your site is vulnerable.

Real-World Impact

Anything relying on jstrieb/urlpages (especially in a multi-user environment or where untrusted users can share links) is open to theft and defacement, potentially leading to:

The Fix

Patched in commit 035b647

The fix includes sanitizing user input before inserting it into the DOM. One standard approach is to use DOM APIs instead of document.write, or to escape all HTML, or even to use content security policy (CSP).

Example of safer rendering

// Secure method (simplified example)
const urlPageContent = decodeURIComponent(window.location.hash.substr(1));
const container = document.createElement('div');
container.textContent = urlPageContent;
document.body.appendChild(container);

References

- Original GitHub Advisory
- CVE Record
- Patch Commit 035b647
- OWASP XSS Reference

Conclusion

CVE-2024-26468 is a textbook example of DOM-based XSS via unsafe user input handling. If you’re using jstrieb/urlpages, update to any version after commit 035b647 immediately. Treat all user-controlled content as potentially malicious—always escape and sanitize!

If you have questions or want help verifying your deployment, join the OWASP community or browse the original GitHub repo.

Timeline

Published on: 02/26/2024 16:27:59 UTC
Last modified on: 11/06/2024 15:35:12 UTC