DuoTheDev
commented
1 year ago Currently looking into this issue. Thank you for opening this.
Closed Jaquiez closed 1 year ago
DuoTheDev
commented
1 year ago Currently looking into this issue. Thank you for opening this.
Abesarrr
commented
1 year ago please explain how advertiser app works. I tried to make an ad but then it just disappeared
github-actions[bot]
commented
1 year ago This issue has had 60 days of inactivity & will close within 7 days
Summary
XSS is possible by taking advantage of concatenation of first name and last name fields on twitter and other applications.
Reproduction
Stored XSS On Twitter (Short Form)
1.) Create character with first name
<img src='and last name'onerror=alert(1)>on character creation 2.) Open twitter and make a post containing anything 3.) Stored XSS is achieved. 4.) Rejoin server and open phone/twitter app. alert popup should appear and halt javascript execution.The javascript payload is limited in length and therefore cannot be used for very much outside of halting normal gameplay for users.
Stored XSS On Advertisement (Long form)
1.) Create character with first name
<img src='and last name'onerror='/*on character creation 2.) Open advertisement app and create an advertisement such that*/[js payload here]'>3.) Javascript should execute immediately. 4.) Rejoin game and open advertisement app to show that XSS is stored.The javascript payload can be a much larger length and therefore can be used for more maliciously such as exfiltrating user data, etc..
Expected behavior
Possible Remediation
HTML encode and/or sanitize when loading in usernames and names in various applications on the qb-phone to ensure XSS attempts are mitigated.
Actual behavior
Users can execute unauthorized javascript by abusing the concatenation of first name and last name in various applications on the qb-phone.
Additional context
No response
Last Updated
Latest Version
Custom Resources
default qbcore configuration
Resource Rename
N/A