XSS via Mathematical Typesetting in jgraph/drawio
Reported on
Sep 13th 2022
🔒️ Requirements
Feature: Extras > Mathematical Typesetting enabled.
User interaction: Access vulnerable page || diagram and wheel click on a link.
📝 Description
The Mathematical Typesetting feature allows to use inline content such as AsciiMath or LaTeX. Using it allows you to create a tag via \href macro. By default, it allows you to use dangerous wrappers like javascript: which permits on click XSS. (wheel click in draw.io context)
🕵️♂️ Proof of Concept
Step 1: Enable Mathematical Typesetting.
Step 2: Copy | Past $$\href{javascript:alert()}{CLICK}$$ in the diagram.
Step 3: Wheel click on the link.
Check Requierements section if it's not working.
🛠️ Fix suggestion
Use ui/safe extension which prevents several security risks such as javascript wrapper in the href attribute.
Impact
An attacker might use it, for example, to extract information from the user's diagram.
What domain are you testing this on? What is the CSP in the response headers for that domain?
I tested it on app.diagrams.net and viewer.diagrams.net. But, I got really weird issues testing it, it must be due to CSP, you are right
Do you want me to take time trying to exploit it with CSP bypass or this is enough for you?
Nothing happens on this PoC for me. What is the CSP in the reponse header for you?
CSP on viewer.diagrams.net:
connect-src *; img-src * data: blob:; media-src * data:; font-src * about:; style-src 'self' https://fonts.googleapis.com 'unsafe-inline'; base-uri 'none';object-src 'none';
Video:
PS: it must be a wheel click or it won't works.
Diagram: Link
The PoC doesn't work on app.diagrams.net, I probably did something weird while testing...