Stored HTML Injection in btcpayserver/btcpayserver
Jan 20th 2023
I hope you are all doing well.
*. I wanted to bring to your attention a potential vulnerability on the website https://mainnet.demo.btcpayserver.org/account/apikeys.
*. During my research, I discovered that the api key label field is vulnerable to a stored HTML injection attack.
Proof of Concept:
*. I have created a video demonstration of the vulnerability and uploaded it to my Google Drive.
*. The link for the video is provided below for your review:
*. Go to the website https://mainnet.demo.btcpayserver.org/account/apikeys
*. Click account.
*. Click manage account.
*. Then move on to the api endpoint.
*. That is https://mainnet.demo.btcpayserver.org/account/apikeys
*. Here, create api key with the label as a html payload.
*. Use the following HTML payload in the label field:
*. Generate the api key.
*. Now, click delete.
*. Check that deleting part rendered the html injection.
*. That's the issue.
*. Restrict special characters and HTML encode attributes in the input fields.
*. Use regular expressions or other techniques to detect and reject malicious input.
*. Avoid embedding user input into emails unless necessary and always HTML-encode user input before embedding it into emails.
*. Implement proper input validation and sanitization measures to prevent this type of vulnerability from occurring in the future.
*. A stored HTML injection attack occurs when an attacker injects malicious HTML code into legitimate HTML code of a web application.
*. This vulnerability can lead to various types of attacks, including open redirects, phishing attempts, and browser hijacking.
*. Additionally, an attacker can gain access to the victim's IP address, latitude and longitude, and potentially carry out a camera phishing attack.
*. Overall, a stored HTML injection vulnerability can have severe consequences and it is important to prevent and mitigate this type of attack.
Several part of the code has similar issue, we are working on fixing it
Thanks for the update. Can we assign a cve for this finding?
Yes, though it need to be mentioned that CSP prevents script injection, as such the severity is moderate.
Thanks, accepted for closure.