CyberChef icon indicating copy to clipboard operation
CyberChef copied to clipboard

Published 20 hours ago verified publisher icon gchq

Bug report: Cyberchef Xss Vulnerability

Open po6ix opened this issue 3 years ago • 1 comments

Describe the bug Here's post about the bug. https://blog.p6.is/writeups-for-hayyim-security-ctf-2022/

To Reproduce Go to the link below

https://gchq.github.io/CyberChef/#recipe=JPath_expression('$..%5B?((%7B__proto__:%5B%5D.constructor%7D).constructor(%22self.postMessage(%7Baction:%5C'bakeComplete%5C',data:%7BbakeId:1,dish:%7Btype:1,value:%5C'%5C'%7D,duration:1,error:false,id:undefined,inputNum:2,progress:1,result:%5C'%3Ciframe/onload%3Dalert(1337)%3E%5C',type:%20%5C'html%5C'%7D%7D);%22)();)%5D','%5C%5Cn')&input=W3t9XQ

Then you can see 1337 pops up.

Expected behaviour No bug.

Screenshots a

Desktop (if relevant, please complete the following information):

  • OS: Linux x86_64
  • Browser: Any browser.
  • CyberChef version: latest (v9.32.3)

Additional context Nothing.

po6ix avatar Feb 15 '22 09:02 po6ix

Any update / fix on this ? timeline for a patch ?

HarshVaragiya avatar May 10 '22 11:05 HarshVaragiya

From what I can see, the way to prevent this bug is to stop the callee.apply(); call from happening (which is where the JS execution occurs). This call only occurs when this code (or this code) had been run. It would be easiest to do this by modifying the jsonpath library but that would harm compatibility with any future versions and could cause copyright conflicts, another option is to switch libraries (which I haven't explored), so I opted to match a regular expression to the query being passed and prohibit script-based expressions whilst allowing them in context (quotes).

For anyone else looking at patching this, the call stack of bakeComplete used in this exploit should lead to this call in jsonpath

michaellrowley avatar Aug 14 '22 10:08 michaellrowley

@po6ix Since you seem to have some experience in JSON Path expressions could you look over my pull request and let me know if you see any way to bypass it? The main code can be tested independently here (JSFiddle).

michaellrowley avatar Aug 15 '22 13:08 michaellrowley

Thanks for reporting this. I have decided to switch to a different library which does not contain the same vulnerability: jsonpath-plus.

The POC above no longer results in XSS. If other routes are found, please do let me know and I'll probably end up disabling expression evaluation entirely.

It may also be worth raising this as an issue in the jsonpath repo itself.

Thanks once more for your efforts.

n1474335 avatar Sep 09 '22 19:09 n1474335