Wikihow: Possible XSS Vulnerability

[javathunderman]

Seems that in some Wikihow answers that include HTML source code as part of the article, the IA is actually rendering it rather than just showing the source alone. (See step 4 in IA box below). Bug was first reported on this /r/duckduckgo post.

https://duckduckgo.com/?q=how+to+create+big+block+text+box

@duckduckgo/community-leaders

---

Instant Answer Page: https://duck.co/ia/view/wikihow

[tagawa]

Thanks for filing this @javathunderman. We've disabled this IA for now until a fix is released. By the way, the content shown from wikiHow is actually data we've parsed and cached so not live data, which reduces the threat a little but is still obviously something we need to fix. /cc @bbraithwaite

[kyzn]

The link above (https://duckduckgo.com/?q=how+to+create+big+block+text+box) still loads the wikihow answer for me. Tried in Firefox 60.0.1 for Ubuntu (in a private window) & Chromium 66.0.3359.181 (incognito).

[javathunderman]

Same here, @tagawa. Seeing it on the latest version of the Android app.

---

From: Kivanc Yazan notifications@github.com Sent: Thursday, May 31, 2018 2:20:39 AM To: duckduckgo/zeroclickinfo-fathead Cc: javathunderman; Mention Subject: Re: [duckduckgo/zeroclickinfo-fathead] Wikihow: Possible XSS Vulnerability (#898)

The link above (https://duckduckgo.com/?q=how+to+create+big+block+text+box) still loads the wikihow answer for me. Tried in Firefox 60.0.1 for Ubuntu private window & Chromium 66.0.3359.181 incognito.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHubhttps://github.com/duckduckgo/zeroclickinfo-fathead/issues/898#issuecomment-393419238, or mute the threadhttps://github.com/notifications/unsubscribe-auth/AGkXnZBhulFiPt21tZPR6Syd2mNxDzKZks5t34u3gaJpZM4USMTX.

[tagawa]

@kyzn @javathunderman Thanks for spotting that. Not sure what happened but I've just let the developers know.

[pjhampton]

Sorry I'm late to the party.

Weird, I thought we had dealt with this early on in the post-processing of the data. However, this was a consistent issue with the FatHead IAs for programming

However, are we really sure this is XSS vulnerable? :thinking: https://www.owasp.org/index.php/Testing_for_Cross_site_scripting

I have ran some tests of my own and got someone else to look at this as well.

What testing has the OP of that post done? How has he submitted a value via a vanilla textarea? Needs more details... disable if you guys feel fit though.

edit: I moved on slightly after this IA was developed, so I'm not sure how it was maintained to be honest. But it does look like it could be updated and run again for fresher info.

[moollaza]

We're investigating a frontend fix for this.

As @tagawa and @pjhampton mentioned, there isn't a real vulnerability here as it's just an input on the page. With DuckDuckHack in maintenance, the Fatheads are not being updated so for now this is more of an issue of the SERP breaking.

The IA is being taken offline (and some others that are breaking the SERP) and once we manage to fix we'll bring them back.

[kyzn]

I agree with @pjhampton, and I feel like this is more of a HTML injection. https://www.owasp.org/index.php/Testing_for_HTML_Injection_(OTG-CLIENT-003)

Thanks for taking care of DuckDuckGo :1st_place_medal: :slightly_smiling_face:

[moollaza]

This has been fixed.