Cross-site Scripting (XSS) - Reflected in swiftyspiffy/twitch-token-generator

Valid

Reported on

Jul 10th 2021


✍️ Description

An (almost) XSS exists in this repository that, if not for the WAF used on https://twitchtokengenerator.com; would have resulted in reflected XSS. Despite this, it is possible to inject HTML onto the page, making some attack scenarios possible.

🕵️‍♂️ Proof of Concept

  • Navigate to https://iplogger.org and generate an IP tracking URL.
  • Navigate to https://twitchtokengenerator.com/?error=1"><img src="YOUR_TRACKING_URL"/>
  • Notice how your IP was logged at iplogger.org.

💥 Impact

As a result of this vulnerability, HTML markup can be injected onto twitchtokengenerator.com, this is an insignificant issue due to the WAF in place that prevents this issue from being escalated to reflected XSS or the use of <meta> tags to redirect victims.

sidenote: The source code in the repository does not mitigate the reflected XSS issue, it is the WAF setup for that specific instance that mitigates the heightened risk; this is why I have reported the vulnerability as reflected XSS, because that is what exists in the source code of https://swiftyspiffy/twitch-token-generator.

Occurrences

We have contacted a member of the swiftyspiffy/twitch-token-generator team and are waiting to hear back a year ago
a year ago

Hi, looking into this.

a year ago

Added html escaping to error parameter. Should be fixed now. Thanks!

swiftyspiffy/twitch-token-generator maintainer validated this vulnerability a year ago
Michael Rowley has been awarded the disclosure bounty
The fix bounty is now up for grabs
swiftyspiffy/twitch-token-generator maintainer marked this as fixed with commit e0c209 a year ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
Michael Rowley
a year ago

Researcher


Awesome, thanks for the quick patch!

to join this conversation