Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Self Cross Site Scripting (XSS) via Word History #1348

Closed
tcbutler320 opened this issue May 4, 2021 · 2 comments
Closed

Self Cross Site Scripting (XSS) via Word History #1348

tcbutler320 opened this issue May 4, 2021 · 2 comments
Labels
bug Something isn't working

Comments

@tcbutler320
Copy link
Contributor

tcbutler320 commented May 4, 2021

xss-proof

Overview

XSS Injection via typing challenge input reflected back in "Word History"

Description

User input is interpreted by the browser unsanitized when entered into the typing challenge. Once the challenge is over and the user opens the "word history" tab, hovering over the mispelled words will cause the browser to interpret the payload as valid injected code. Under current limitations significant code execution cannot be caused due to character limit, however more research should be done to prove impact. This occurs in default settings.

Impact

The impact of the XSS is low/none. At current, only basic injection is possible due to character limitations. The injection is also only client side, and does not seem to be exploitable outside of the local context.

Reproduce.

For a XSS payload, just start typing this "><svg/onclick=alert1`>

  1. Start a new typing challenge
  2. Spell the first word correctly, then immediately after the first word and with no spaces after, terminate the string with ">
  3. Enter payload
  4. Once the timer is complete, select the option to view word history
  5. Hover over the misspelled word, and the payload will execute

Expected behavior

The application should strip out special characters from this field, especially since the typing test does not require any.

Screenshots

Inject Payload

Screen Shot 2021-05-04 at 9 10 35 AM

Payload Being Interpreted On Click

xss-proof

HTML Payload

xss

This should effect all client's using the application, but below is my setup

  • OS: [MacOs]
  • Browser [Chrome]
  • Version [90.0.4430.93 (Official Build) (x86_64]

Remediation

In the screenshot below you can see the user input shows up in the input field of the word error div. Special characters here should be escaped.

Screen Shot 2021-05-04 at 9 17 12 AM

I'll dig into the source code and see where I can help on thisa

@tcbutler320 tcbutler320 added the bug Something isn't working label May 4, 2021
@Miodec
Copy link
Member

Miodec commented May 4, 2021

Not really XSS because this can't be injected by a different website / instance. Word input history is local and local only, and is not sent to the server either.

So, not as dangerous as it sounds but yeah, should be escaped either way.

@tcbutler320
Copy link
Contributor Author

tcbutler320 commented May 4, 2021

Not really XSS because this can't be injected by a different website / instance. Word input history is local and local only, and is not sent to the server either.

So, not as dangerous as it sounds but yeah, should be escaped either way.

Agree this is definitely not a security issue. I was able to get code execution tho using a svg/onclick payload, so this is XSS but there is no impact

@tcbutler320 tcbutler320 changed the title Stored Cross Site Scripting (XSS) via Word History HTML Injection via Word History May 4, 2021
@tcbutler320 tcbutler320 changed the title HTML Injection via Word History Cross Site Scripting (XSS) via Word History May 4, 2021
@Miodec Miodec closed this as completed in ed8e34a May 9, 2021
@tcbutler320 tcbutler320 changed the title Cross Site Scripting (XSS) via Word History Self Cross Site Scripting (XSS) via Word History May 27, 2021
@tcbutler320 tcbutler320 mentioned this issue Jun 4, 2021
3 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working
Projects
None yet
Development

No branches or pull requests

2 participants