New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

XSS Vulnerability #6

MoD01 opened this Issue Dec 17, 2016 · 0 comments


None yet
2 participants

MoD01 commented Dec 17, 2016

It is possible to inject Java Script Code into the user chat. The code is persisted in the chat log and will be executed each time you or the chat partner opens the chat (Stored Cross Site Scripting).

How to reproduce:

  • Register for a dateprog account and log in.
  • Click at one of the names of an user at the dashbaord
  • Click Open Chat
  • Now type, e.g. <script>alert('You got XSSed');</script>
    • This results in Java Script code execution at your browser and your chat partners browser each time the chat window is opened

What is the problem:


body = body.gsub(/(?:f|ht)tps?:\/[^\s]+/, t("link_removed")).gsub(/<script.*?>[\s\S]*<\/script>/i, "").gsub(/<("[^"]*"|'[^']*'|[^'">])*>/, "")

But this is never applied to the message body (params[:message][:body]) itself!


failure / vulnerability :

  • A users' browser executes the unfiltered code in the message.

How to patch this vulnerability:

params[:message][:body] = body

This will correctly pass the filtered text to the Message object.

As a second step, to protect the users against future XSS vectors in your web application, you can use output escaping. With the escapeHTML() speacial HTML characters like &, ", <, and > will be replaced by its HTML representation &amp;, &quot;, &lt;, and &gt; which will not be interpreted.

Vulnerability found by:

emirn added a commit that referenced this issue Dec 22, 2016

Update messages_controller.rb
refs #6 fixing XSS vulnerability thanks to @stweigand and @MoD01 !!

@emirn emirn closed this Jan 2, 2017

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment