Stored XSS Bypass While add a new Comment in answerdev/answer
Valid
Reported on
Feb 8th 2023
Description
Stored XSS bypass in add comments function if you try to inject XSS payload like <img src=x onerror=alert(1)> that won't work ,So I found a bypass that able to bypass cloudflare with the following payload <img only=1 src=x onerror=alert()> or <img xthemo=1 src=x onerror=alert(1)> and click enter to add newline and click "add comment"
func (cc *CommentController) AddComment(ctx *gin.Context) {
req := &schema.AddCommentReq{}
if handler.BindAndCheck(ctx, req) {
return
}
req.UserID = middleware.GetLoginUserIDFromContext(ctx)
canList, err := cc.rankService.CheckOperationPermissions(ctx, req.UserID, []string{
permission.CommentAdd,
permission.CommentEdit,
permission.CommentDelete,
})
if err != nil {
handler.HandleResponse(ctx, err, nil)
return
}
req.CanAdd = canList[0]
req.CanEdit = canList[1]
req.CanDelete = canList[2]
if !req.CanAdd {
handler.HandleResponse(ctx, errors.Forbidden(reason.RankFailToMeetTheCondition), nil)
return
}
resp, err := cc.commentService.AddComment(ctx, req)
handler.HandleResponse(ctx, err, resp)
}
As you see there is no check on user input that
Proof of Concept
https://drive.google.com/file/d/1J2n8JwloSG6Tr-5SRgFIa1AK8swNry6e/view?usp=sharing
Impact
Steal users cookies and accounts
We are processing your report and will contact the
answerdev/answer
team within 24 hours.
a month ago
We have contacted a member of the
answerdev/answer
team and are waiting to hear back
a month ago
The researcher's credibility has increased: +7
to join this conversation