Stored XSS via Third Party Analytics Snippets #6
Description
Vulnerability Details
Type: Stored Cross-Site Scripting (XSS)
Location: Third Party Analytics Settings
Description:
The application allows sellers to configure third-party analytics snippets (e.g., for tracking) via the settings page (/settings/analytics). The code responsible for saving these snippets (Settings::ThirdPartyAnalyticsController#update and ThirdPartyAnalytic.save_third_party_analytics) does not sanitize the code parameter provided by the user.
This unsanitized code is stored in the analytics_code field of the ThirdPartyAnalytic model.
Later, when pages including these analytics are rendered (e.g., product pages, receipt pages), the ThirdPartyAnalyticsController#index action fetches this stored code and includes it in the @third_party_analytics variable. This variable is then rendered directly into the HTML using the raw helper in the /app/app/views/third_party_analytics/index.html.erb view (<%= raw @third_party_analytics %>).
Flow:
- A seller navigates to
/settings/analytics. - The seller adds or edits an analytics snippet, providing malicious JavaScript in the 'code' field (e.g.,
<script>alert('XSS')</script>). - The request is sent to
Settings::ThirdPartyAnalyticsController#update. - The controller permits the
codeparameter (params[:user][:snippets][][:code]). ThirdPartyAnalytic.save_third_party_analyticssaves the malicious code to the database without sanitization.- Another user (or the seller themselves) visits a page (e.g., a product page) where this analytics snippet is configured to load.
ThirdPartyAnalyticsController#indexfetches the malicious code./app/app/views/third_party_analytics/index.html.erbrenders the code usingraw, executing the JavaScript in the victim's browser.
Impact:
An attacker (seller) can inject arbitrary JavaScript code that executes in the browser of users visiting pages associated with the seller's products or account. This can lead to session hijacking, data theft, phishing, or performing actions on behalf of the victim user.
Affected Files:
/app/app/controllers/settings/third_party_analytics_controller.rb(Source - Parameter Permitting)/app/app/models/third_party_analytic.rb(Data Storage - Lack of Validation/Sanitization)/app/app/controllers/third_party_analytics_controller.rb(Data Retrieval)/app/app/views/third_party_analytics/index.html.erb(Sink -rawhelper)
Recommendation:
Implement strict sanitization on the analytics_code field before saving it to the database. Use a library specifically designed for sanitizing HTML and script content, allowing only safe tags and attributes. Alternatively, consider rendering the analytics code within a sandboxed iframe if possible, although server-side sanitization is generally preferred.