Cross-site Scripting (XSS) - Reflected in swiftyspiffy/twitch-token-generator

Valid
Reported on Jul 10th 2021

✍️ Description

An (almost) XSS exists in this repository that, if not for the WAF used on https://twitchtokengenerator.com; would have resulted in reflected XSS. Despite this, it is possible to inject HTML onto the page, making some attack scenarios possible.

🕵️‍♂️ Proof of Concept

  • Navigate to https://iplogger.org and generate an IP tracking URL.
  • Navigate to https://twitchtokengenerator.com/?error=1"><img src="YOUR_TRACKING_URL"/>
  • Notice how your IP was logged at iplogger.org.

💥 Impact

As a result of this vulnerability, HTML markup can be injected onto twitchtokengenerator.com, this is an insignificant issue due to the WAF in place that prevents this issue from being escalated to reflected XSS or the use of <meta> tags to redirect victims.

sidenote: The source code in the repository does not mitigate the reflected XSS issue, it is the WAF setup for that specific instance that mitigates the heightened risk; this is why I have reported the vulnerability as reflected XSS, because that is what exists in the source code of https://swiftyspiffy/twitch-token-generator.

We have contacted a member of the swiftyspiffy/twitch-token-generator team and are waiting to hear back 16 days ago
16 days ago

Hi, looking into this.

16 days ago

Added html escaping to error parameter. Should be fixed now. Thanks!

swiftyspiffy/twitch-token-generator maintainer validated this vulnerability 16 days ago
Michael Rowley has been awarded the disclosure bounty
$25
The fix bounty is now up for grabs
$6.25
swiftyspiffy/twitch-token-generator maintainer confirmed that a fix has been merged on e0c209 16 days ago
The fix bounty has been dropped
$6.25
Michael Rowley
16 days ago

Researcher


Awesome, thanks for the quick patch!