RSS
 

Archive for the ‘XSS’ Category

sanitize-html-react Vulnerability

21 Nov 2020

Overview

At work, we tend to test our near-complete features internally as a team to capture any bugs before they are shipped to customers. We call this process a ‘blitz’ and it has successfully caught many bugs for us that can be addressed before shipping a feature.

In this case, I was testing a sanitization library we had used to sanitize some use provided input (as HTML) called sanitize-html-react. After testing some common payloads from the OWASP XSS Cheat Sheet I discovered the library was flawed.

This library was selected because it was already in use in other parts of the codebase. For this reason, we believed it to be safe as we assumed it has passed the required security checks and standards we have set in place. However, in this case, it wasn’t.

sanitize-html-react library

The sanitize-html-react library is a fork at some point in time off the sanitize-html library.
However, it has no dependencies on sanitize-html and therefore it will not benefit from security updates.
The sanitize-html library is actively maintained where as sanitize-html-react library has not been updated for more than four years!

sanitize-html-react Github Repo

https://github.com/zacharystenger/sanitize-html-react

 

Proof of Concept

The discovered bug was found using the recursive XSS payload above.
The above config states we should discard all tags (as allowedTags list is empty).
In the above example the inner <u> in <<u>u>underlined is stripped away which forms a new <u> element resulting in the final string <u>underlined.

The same concept can be used to render <script> tags (or any other tag).

External Usage

Many open-source public repositories are or have used this library, potentially opening themselves up to security vulnerabilities.

Disclosure

An issue has been created on the Github repo here:
https://github.com/zacharystenger/sanitize-html-react/issues/3

Proposed Solutions

✅ sanitize-html

Replace package with sanitize-html (https://www.npmjs.com/package/sanitize-html)
This is a maintained, up to date, drop-in replacement.

✅ DOMPurify

Replace package with DOMPurify (https://www.npmjs.com/package/dompurify)
Popular and maintained XSS sanitizer.

✅ lodash.escape

Consider using Lodash escape (https://lodash.com/docs/4.17.15#escape) if you were only using sanitize-html-react in escape mode.

 
No Comments

Posted in XSS

 

BlankMediaGames/Town Of Salem XSS

03 Jan 2020

While looking on the BlankMediaGames.com website (creators of Town Of Salem) I came across an api.php file which one inside one of the folders listed in the sites robots.txt  file.

The file in question is:

Upon visiting the page we get the following output with a 200 response code:

At first I thought this was a hidden API but it turns out to be nothing more than a simple echo script. I suspected the script takes in some input as GET or POST parameters so we use a script called parameth to bruteforce the GET and POST parameters using a dictionary attack.

We run the script with the following parameters:

The argument --sizeignore  allows us to ignore responses that have a particular size (in our case 19 bytes). Typically we’d use the response code to filter out default responses but in this case the response code was always 200.

We find the following inputs:

Therefore, the two input GET parameters are hello and request. These parameters are echo’d to the page without any input sanitation meaning the original PHP script would look something like this:

As a result this script is vulnerability to XSS:

Output:

 

 

Timeline

01/01/2019 – Reported to BMG
03/01/2019 – Patched by BMG.

 
No Comments

Posted in XSS

 

Finland MSN XSS Vulnerability

08 Sep 2014

The search bar on this page fails to encode the quotes () and as a result a onMouseOver event tag can be attached to the search bar which allows an XSS attack to occur.

Finland MSN XSS Vulnerability

Code:

 

 
No Comments

Posted in XSS

 

CSE.UNSW.EDU.AU XSS Vulnerability

08 Sep 2014

The staff search page does not sanitise the input of the ID field allowing an XSS attack to be executed.

 

UNSW (CSE) XSS Vulnerability

 

Code:

 

 
No Comments

Posted in XSS

 

Mashable XSS Vulnerability

08 Sep 2014

The Mashable subscription script fails to sanitise the email field and prints the invalid email on an error page.

Mashable XSS Vulnerability

 

Code:

 

 
No Comments

Posted in XSS

 

ABC Mail XSS Vulnerability

08 Sep 2014

The ABC Mail subscription script fails to sanitise the email field or check that a valid email was provided. An attack can easily be executed as the unsanitized “invalid email” is printed on the produced error page.

ABC Mail XSS Vulnerability
Code:

 
No Comments

Posted in XSS

 

Backlinks.com XSS Vulnerability

03 Sep 2014

The help document search form on Backlinks.com does not correctly sanitise user input allowing an XSS attack to be executed.

The follow symbols are converted to to their URL encoded counterparts: ‘<‘, ‘>‘, ‘/
Evasion string used (before encoding):  /><script>alert(/XSS/)</script>

 

backlinks.com XSS Vulnerability

 
No Comments

Posted in XSS

 

NineMSN Flights XSS Vulnerability

10 Nov 2012

After browsing around on the NineMSN website for a little while (for about 10 minutes) I found a XSS vulnerability on a very common page. The NineMSN flights page is located here:
http://flights.ninemsn.com.au/

The page did not sanitise input from the depart and return input. The form was expecting a date but any string could be provided as input to execute an XSS attack.

Here is the vulnerability:

Ninemsn Flights From  Ninemsn Flights To

 

Vulnerable Code:

 

This vulnerability has been reported and I have been added to the Microsoft Hall of Fame for October 2012.

Why not have a look around Microsoft’s websites and see if you can find one too.

 
No Comments

Posted in XSS

 

iiNet.net.au XSS Vulnerabilities

06 Oct 2012

iiNet, a major ISP in Australia seems to be a little less secure than they claim they are. After merely searching for XSS vulnerabilities on their website for 5 minutes, I had found these two vulnerabilities. Two non-persistent vulnerabilities, one surprisingly located in iiNet’s main search page.

Here is the main search page vulnerability:

iiNet Search Page XSS

Code:

 

This is another vulnerability on the iiNet Freezone main page:

iiNet Freezone XSS vulnerability

Code:

 

I have reported the above vulnerabilities to iiNet and have gotten no response. Hopefully they will fix the vulnerabilities in the near future.

 
No Comments

Posted in XSS