Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Stored Cross-Site Scripting (XSS) via Tribe Chat #1476

Closed
tcbutler320 opened this issue May 27, 2021 · 1 comment
Closed

Stored Cross-Site Scripting (XSS) via Tribe Chat #1476

tcbutler320 opened this issue May 27, 2021 · 1 comment
Labels
bug Something isn't working tribe Tribe (multiplayer) issues

Comments

@tcbutler320
Copy link
Contributor

tcbutler320 commented May 27, 2021

Describe the bug

The MonkeyType Tribe chat at https://dev.monkeytype.com/tribe is vulnerable to stored cross-site scripting (xss) through user comments and user name. To inject XSS payloads, malicious users can enter a non-xss string in the chat field and send it to web server, then capture the web socket traffic and modify the input to a XSS payload. Same method can be used to injext XSS through username field.

tribe_stored_xss

Did it happen in incognito mode? No 😉

To Reproduce .

I used an onclick event payload to demonstrate capabilities, but of course other payloads can be used

  • Configure BurpSuite to intercept browser traffic
  • Navigate to https://dev.monkeytype.com/tribe
  • Click on "create room"
  • Turn on BurpSuite proxy interception
  • Enter a new chat string
  • Intercept the web socket traffic, and change the chat string to an XSS payload, example below.
  • Stop intercepting traffic, browse the chat room. The payload will execute. In this example, the payload will execute onclick

tribe_stored_xss_burp

tribe_xss_sm

Expected behavior
Tribe chat should implement output encoding to ensure that payloads injected through raw socket intercepts are not interpreted by client browsers.

Screenshots

@tcbutler320 tcbutler320 added the bug Something isn't working label May 27, 2021
@Miodec Miodec added the tribe Tribe (multiplayer) issues label May 27, 2021
@Miodec
Copy link
Member

Miodec commented May 27, 2021

Fixed

@Miodec Miodec closed this as completed May 27, 2021
@tcbutler320 tcbutler320 mentioned this issue Jun 4, 2021
3 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working tribe Tribe (multiplayer) issues
Projects
None yet
Development

No branches or pull requests

2 participants