search

kandanapp / kandan

Kandan is an Open Source Alternative to HipChat
GNU Affero General Public License v3.0
2.72k stars 407 forks source link

Search Function Vulnerabilities #337

Closed PythEch closed 10 years ago

PythEch commented 10 years ago

XSS Vulnerability: When user searches something, the JSON data that is sent to the browser is not sanitized. If JSON has </script> in one of the fields the browser assumes javascript is ended so you can inject your own javascript code to the victim.

$(document).ready(function(){
    Kandan.Plugins.initAll()
    activities = [***<this is not sanitized>***];

    $.each(activities, function(index, activityAttributes) {
      activity = new Kandan.Models.Activity(activityAttributes);
      activityView = new Kandan.Views.ShowActivity({activity: activity});
      $(".activities").append(activityView.render().el);
    })
  })

Reproducing: It needs more user activity than the former vulnerability but this is a little more stealthy due to it can be exploited with the First name.

Follow these steps: • Register a new user. • Change First name or Last name (or email or whatever...) to this Adam </script><script>alert('xss')</script>. • Type something to the chat, this can be anything. For this example, I wrote some random text passing through. I wrote a very informational thingy here so you can search that later.. • Login as another user and search for some random text.

Result: http://i.imgur.com/LUbyvWG.png

<script type="text/javascript">
//<![CDATA[

  $(document).ready(function(){
    Kandan.Plugins.initAll()
    activities = [{"action":"message","channel_id":1,"content":"some random text passing through. I wrote a very informational thingy here so you can search that later.","created_at":"2014-04-18T14:38:38Z","id":103,"updated_at":"2014-04-18T14:38:38Z","user_id":5,"user":{"active":true,"authentication_token":"LYKUXkAkm6nt5MsETsxS","avatar_url":"","created_at":"2014-04-18T14:28:44Z","email":"random@test.com","first_name":"Random","gravatar_hash":"4d8f36ae593dfec22e38570e40099e66","id":5,"is_admin":null,"last_name":"Adam </script><script>alert('xss')</script>","locale":null,"registration_status":"active","updated_at":"2014-04-18T14:45:03Z","username":"random"}}];

    $.each(activities, function(index, activityAttributes) {
      activity = new Kandan.Models.Activity(activityAttributes);
      activityView = new Kandan.Views.ShowActivity({activity: activity});
      $(".activities").append(activityView.render().el);
    })
  })

//]]>
</script>

With some minor refactoring it should be possible to do this fully undetected.

Information Disclosure Vulnerability:

Because the search function not only that leaks First Names, Last Names and Emails of the users, it also leaks authentication_token (which can be seen from above). While I am not sure what's the exact use of this but, looks like it's used to prevent XSSI attacks. I'm trying to exploit this, I'll update the issue about this later. But nevertheless names and emails shouldn't be exposed. If this is an intended behaviour, well it should be easier to get this information.

EDIT:

It's possible to do this fully undetected (unless the victim looks for the source of html). Just make your Last name as this:

Adam</script><script>alert('xss')</script><script>

Demonstration:

scouttyg commented 10 years ago

I'll check into this and see if I can push up a fix -- there's probably a few other XSS issues out there but we'll squash them one by one. But let me just say that gif is awesome - I was able to follow your exact process. Cheers! :beers:

scouttyg commented 10 years ago

Just pushed up a fix pull request (see #340), it shouldn't leak auth_tokens now (other than your own auth_token, in the data-current-user variable on document)

It also should prevent XSS things like this, by calling html_safe on the json object, and then json_escape, which should prevent any parsing by the app.

Keep letting me know if you find other ways to exploit the app though, or if I missed something, but these have been fun to fix!

PythEch commented 10 years ago

Thanks for your kindness and fast response!

I'm not good at writing (non-native speaker problems), I thought it would be a good idea to create a gif.

Also, on the social engineering side, today I realized it would've easier to trap Admin by saying something like "hey @admin, I can't search my messages. Can you reproduce this issue?".

P.S: This is the first time I'm pentesting a web application. It was fun to see exploiting XSS on a RoR application, on my side too. I just wanted to see if I can reproduce the issues on http://google-gruyere.appspot.com/ and https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet