Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Account avatar link exists XSS vulnerability too. #504

Closed
gh0stkey opened this issue Nov 18, 2017 · 1 comment

Comments

2 participants
@gh0stkey
Copy link

commented Nov 18, 2017

Hi,man.I hope you can learn by analogy.
You filtered xss vulnerability in user center.But,that's just one place.

There is a xss vul in account avatar link.

I can enter xss payload "><svg/onload=alert(1)> at the avatar link.

My test environment

OS : MacOS 10.12.6
Browser : FireFox
Tool : BurpSuite
Data : 2017.11.18 4:20 PM

Vulnerability details

Location : /settings/avatar
I setting my avatar,use BurpSuite capture some HTTP Requests packets:
1

Analysis packets

First packet info:
Mthod : POST
URI : /upload
Content : I uploaded the picture content

Second packet info:
Mthod : POST
URI : /settings/avatar
Content : JSON Requests -> {"userAvatarURL":"http://****/upload/76ba68ee6032455483c29df03fa2979e_1.png"}

When I analyzed the second packet, I knew the process of uploading the avatar.

So,i just need to tested the second packet.I changed the value of the JSON parameter userAvatarURL to xss payload "><svg/onload=alert(1)>.

2

Attack

When person look my avatar, I can get their cookies.
3
Come on, my good friend.
Vulnerability Reporter : vulkey(mstsec)

88250 added a commit that referenced this issue Nov 18, 2017

88250 added a commit that referenced this issue Nov 18, 2017

88250 added a commit that referenced this issue Nov 18, 2017

@88250 88250 closed this in 75e3b68 Nov 18, 2017

@88250

This comment has been minimized.

Copy link
Member

commented Nov 18, 2017

Thank you, I fixed it. Other XSS issues like this I think I have fixed. Please tell me if you find something else like this.

@88250 88250 self-assigned this Nov 24, 2017

@88250 88250 added the bug label Nov 24, 2017

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.