attachinary icon indicating copy to clipboard operation
attachinary copied to clipboard

Published 20 hours ago verified publisher icon assembler

CORS endpoint echoes unsafe JSON / Potential XSS

Open ebenoist opened this issue 5 years ago • 0 comments

The /cors endpoint, as configured currently echo's any params passed to the /attachinary/cors endpoint. This means that unscrupulous users can use this endpoint to trick JavaScript code into thinking that the content coming back is from a safe endpoint.

Example

Let's say I have a route in my SPA that looks like this:

https://mysite.com/products/my-great-product

An unscrupulous user can trick someone into clicking on a link that looks like this:

https://mysite.com/products/../../attachinary/cors?title="<script>alert('foo')</script>"

If my JavaScript code interprets everything after the products/ as the slug for my application, I may naively make a call with that value:

fetch("https://mysite.com/api/products/" + slug")

Which will resolve to https://mysite.com/attachinary/cors?description="<script>alert('foo')</script>" and return whatever was in the params.

{
  "description": "<script>alert('foo')</script>"
}

Now if my application, receiving that data renders that into the document without first scrubbing, the result will be a successful XSS attack. Its not unreasonable to think that my application should be returning html safe strings, but the combination of the path traversal hack and the /attachinary/cors endpoint blindly echo-ing input creates an easy vector for XSS.

Is there a reason the cors endpoint should be echoing back params that should be considered unsafe?

ebenoist avatar Apr 20 '20 20:04 ebenoist