The value of content in /Messages/SendMessage is vulnerable to XSS attacks targeting single users of zapread via a msg.
Steps to reproduce:
Intercept a chat message with a proxy and edit the safe html to an xss payload.
{"id":1426,"content":"","isChat":true}
Mitigation:
I saw you have a server side xss protection, I think you forgot it here. Just use that.
Impact:
I saw that alert(1) everywhere after xss-chatting to myself, I don't exactly know where this fires.
But you can XSS specific targets, and the payload fires AT LEAST when the msg is opened, which might be helpful to take over your account.
I could imagine a worm, that upvotes my posts and sends itself to other users.
Horndev
commented
5 years ago
fwtf Stored XSS in Chat
The value of content in /Messages/SendMessage is vulnerable to XSS attacks targeting single users of zapread via a msg.
Steps to reproduce: Intercept a chat message with a proxy and edit the safe html to an xss payload. {"id":1426,"content":"
","isChat":true}
Mitigation: I saw you have a server side xss protection, I think you forgot it here. Just use that.
Impact: I saw that alert(1) everywhere after xss-chatting to myself, I don't exactly know where this fires. But you can XSS specific targets, and the payload fires AT LEAST when the msg is opened, which might be helpful to take over your account. I could imagine a worm, that upvotes my posts and sends itself to other users.