search

Kong / insomnia

The open-source, cross-platform API client for GraphQL, REST, WebSockets, SSE and gRPC. With Cloud, Local and Git storage.
https://insomnia.rest
Apache License 2.0
34.6k stars 1.96k forks source link

XSS in request name and URL leading to remote code execution #2985

Open magicOz opened 3 years ago

magicOz commented 3 years ago

Describe the bug When rendering a request name either by highlight (search), viewing request documentation or showing the request URL - Insomnia suffers from a XSS vulnerability. Since Insomnia is built on electron this essentially leads to RCE.

Highlighting search result https://github.com/Kong/insomnia/blob/fa64e6b5e896c2d043499b6b937e1a8f616d5346/packages/insomnia-app/app/ui/components/base/highlight.js#L28

Rendering request documentation https://github.com/Kong/insomnia/blob/fa64e6b5e896c2d043499b6b937e1a8f616d5346/packages/insomnia-app/app/ui/components/markdown-preview.js#L105

Rendering tag-names in request URL https://github.com/Kong/insomnia/blob/fa64e6b5e896c2d043499b6b937e1a8f616d5346/packages/insomnia-app/app/ui/components/codemirror/extensions/nunjucks-tags.js#L299-L301

Autocomplete when inserting tag-names https://github.com/Kong/insomnia/blob/fa64e6b5e896c2d043499b6b937e1a8f616d5346/packages/insomnia-app/app/ui/components/codemirror/extensions/autocomplete.js#L463

To Reproduce Steps to reproduce the behavior:

  1. Victim imports a malicious OpenApi-spec. either from a file or an online resource.
  2. Victim either searches for a request or clicks on one
  3. RCE

Expected behavior If it's really necessary to utilize react's dangerous dangerouslySetInnerHtml-method and the regular innerHTML make sure to always escape / sanitize user-controlled data.

Screenshots xss_poc

Desktop:

Additional context The attacker needs to bypass the CSP in order to execute arbitrary javascript code. In this PoC, I'm using an UNC-path to a remote machine that hosts the payload.

Replace EVILHOST in Insomnia_malicious.json with a hostname that you control and host payload.html on that host in order to trigger the RCE part of the exploit. poc.zip

apisaint commented 3 years ago

I'm wondering, since sanitization would potentially remove custom scripts that are intentionally placed, or functionality that's intentional, would a modal stating something along the lines of "Import at your own risk" - as any change would break potentially existing usages. 🤔

As it stands, you can already do malicious injection through requesting an HTML page. So it's more about "do things at your own risk" with these kind of applications.

stale[bot] commented 3 years ago

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.