Hi, I've sent a report to you by email, but unfortunately no answer (after 9 days, but here https://github.com/hoppscotch/hoppscotch/security we can see 48 hours period).
Summary
Due to lack of validation for fields like Label (Edit Team) - TeamName, bad actors can send emails with Spoofed Content as Hoppscotch (because in fact these emails are real Hoppscotch emails) at this moment.
Please notice that there are allowed different characters like (@, :, <>, //) spaces etc, that allows to create all sentences by bad actors.
Part of payload (external link) is presented in clickable form - easier to achieve own goals by malicious actors.
Details
Repro steps:
- As logged in user https://hoppscotch.io/ select your Team and Edit the Team Name - set Name with payload (provided below) and Save (see allowed and saved)
- Click Invite member to this team and type victim's email address or addresses
- Open email with invitation and Spoofed content
Note: Please use your second email address or alias for POC steps for convenient.
Payload example:
SWAG - visit www.evilsite.com and CELEBRATE
Vulnerable part of code:
Code:
https://github.com/hoppscotch/hoppscotch/blob/main/packages/hoppscotch-backend/src/team-invitation/team-invitation.service.ts#L153
PoC
Result:
"A Hoppscotch User invited you to join SWAG - visit www.evilsite.com and CELEBRATE in Hoppscotch" or
"A Hoppscotch User with SWAG - visit www.evilsite.com and CELEBRATE (...)" and so on.
POC - screenshot result:
Impact
Impact
Spoofed email content - user see real Hoppscotch email, so is more exposed to malicious actions (like visit site xyz, download from xzy - even just because of prepared endpoint). Other scenario can be associated with disinformation (lost of trust and reputation) - using there bad words (vulgar), weird content etc. Part of payload (external link) is presented in clickable form - easier to achieve own goals by malicious actors.
Proposed remediation: please don't allow to malicious actions like this - proper validation for these fields (Sanitize/purify input data from users).
Additional informations:
Content Spoofing - https://owasp.org/www-community/attacks/Content_Spoofing
CAPEC-148: Content Spoofing - https://capec.mitre.org/data/definitions/148.html
CWE-20: Improper Input Validation - https://cwe.mitre.org/data/definitions/20.html
CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') - https://cwe.mitre.org/data/definitions/79.html
Best regards,
Hi, I've sent a report to you by email, but unfortunately no answer (after 9 days, but here https://github.com/hoppscotch/hoppscotch/security we can see 48 hours period).
Summary
Due to lack of validation for fields like Label (Edit Team) - TeamName, bad actors can send emails with Spoofed Content as Hoppscotch (because in fact these emails are real Hoppscotch emails) at this moment.
Please notice that there are allowed different characters like (@, :, <>, //) spaces etc, that allows to create all sentences by bad actors.
Part of payload (external link) is presented in clickable form - easier to achieve own goals by malicious actors.
Details
Repro steps:
Note: Please use your second email address or alias for POC steps for convenient.
Payload example:
SWAG - visit www.evilsite.com and CELEBRATE
Vulnerable part of code:
Code:
https://github.com/hoppscotch/hoppscotch/blob/main/packages/hoppscotch-backend/src/team-invitation/team-invitation.service.ts#L153
PoC
Result:
"A Hoppscotch User invited you to join SWAG - visit www.evilsite.com and CELEBRATE in Hoppscotch" or
"A Hoppscotch User with SWAG - visit www.evilsite.com and CELEBRATE (...)" and so on.
POC - screenshot result:
Impact
Impact
Spoofed email content - user see real Hoppscotch email, so is more exposed to malicious actions (like visit site xyz, download from xzy - even just because of prepared endpoint). Other scenario can be associated with disinformation (lost of trust and reputation) - using there bad words (vulgar), weird content etc. Part of payload (external link) is presented in clickable form - easier to achieve own goals by malicious actors.
Proposed remediation: please don't allow to malicious actions like this - proper validation for these fields (Sanitize/purify input data from users).
Additional informations:
Content Spoofing - https://owasp.org/www-community/attacks/Content_Spoofing
CAPEC-148: Content Spoofing - https://capec.mitre.org/data/definitions/148.html
CWE-20: Improper Input Validation - https://cwe.mitre.org/data/definitions/20.html
CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') - https://cwe.mitre.org/data/definitions/79.html
Best regards,