Firefox XSS when redirecting to untrusted URL in nuxt/framework
Reported on
Aug 26th 2022
Description
When redirecting server side using navigateTo with untrusted user data and with external links set to true, XSS can be triggered on Firefox (probably other browsers too). This is due to h3 expecting JSON stringfy to sanitize HTML and nuxt3 also assuming that to be true by using the sendRedirect function.
Proof of Concept
<template>
<div>
XSS
</div>
</template>
<script setup lang="ts">
const r = useRoute();
if (r.query.x) {
navigateTo(r.query.x as string, { external: true })
}
</script>
Navigate to http://localhost:3000/?x=wss://a?"><script>alert(1)</script>
Issue
The root of the issue can be found within h3
Impact
Access to sensitive data, especially for non static sites.
Impact of XSS can vary depending on features available on website.
Hi and thanks for reporting the issue. I've reviewed it and it is affecting only nuxt-edge (non released version) and seems reproduction only effective on firefox browsers that render page alongside with redirecting.
For context this issue appeared by a new h3 feature that implemented in Nuxt 3:
- https://github.com/unjs/h3/commit/606de3bb3abeacc44debc164d23677853066a4e0 (affecting h3@0.7.13, 0.7.14, 0.7.15, 0.7.16)
- https://github.com/nuxt/framework/pull/5022 (affecting only edge release channel)
The issue is resolved with h3 0.7.17 by ensuring always encoding URL before passing to stringify (https://github.com/unjs/h3/commit/01476acb98a248d36544573febb562d2cd5fee09).
Their might be other XSS vulnerabilities. If discovered more, please directly report them for unjs/h3 instead and cheers!