search

lionleaf / dwitter

Social network for short js demos
https://www.dwitter.net
Apache License 2.0
771 stars 67 forks source link

Redirection vulnerability #443

Open imscary opened 5 years ago

imscary commented 5 years ago

Like in #367 but combined with XSS. CSP doesn't block it. https://dweet.dwitter.net/id/13734 will redirect to Google 

</script>
<script>
window.location.replace("http://www.google.com")
</script>
<script>
lionleaf commented 5 years ago

Nice find!

However, this is taken care of by the iframe-src CSP. It doesn't work when you view the dweet in the feed or a normal dweet view: https://www.dwitter.net/d/13734 (at least in my browser)

dweet.dwitter.net is never meant to be viewed directly, so as long as it only affects direct viewing I don't think this is a problem in practice.

imscary commented 5 years ago

Still can be used as a free redirection hosting from a https source. It can be used at creating phishing attacks.

lionleaf commented 5 years ago

That's a fair point. It's not really a critical bug, but it's unfortunate that people can send real dwitter links that then redirects.

If there's a simple fix I'd be happy to implement it, but I'm not too worried.

imscary commented 5 years ago

There are similar attacks on the same method. It would be better if we block dweets that contain </script> or javascript: or </SCRIPT> or //<</ That's what I did to golf512.dx.am because I allow external resources and it works perfect now.

lionleaf commented 5 years ago

</script> isn't the problem here. Works just as well without it, you just need to make sure it doesn't start paused: https://dweet.dwitter.net/id/13998?autoplay=1

I'm skeptic of doing any sort of scanning of the dweet code, since javascript has so many ways to get around simple filters.