lock icon indicating copy to clipboard operation
lock copied to clipboard

Published 20 hours ago verified publisher icon kbrsh

Stored XSS

Open EdOverflow opened this issue 8 years ago • 1 comments

Hi KingPixil,

Lock is vulnerable to stored XSS, a form of code injection wherein one can execute malicious scripts into a page.

Why does this vulnerability exist?

Cross-site scripting exists whenever input can be interpreted as code. In this case you simply replace {{message}} in template.html with the user's message without escaping the input:

var renderDel = function(message) {
    return template.replace(/{{message}}/g, message);
}

Link: https://github.com/KingPixil/lock/blob/master/src/view.js#L6-L8

<div id="content">
    <h3 class="centered">{{message}}</h3>
    <h5 id="counter">5</h5>
</div>

Link: https://github.com/KingPixil/lock/blob/master/views/template/template.html#L22-L25

With the payload this looks as follows:

<div id="content">
    <h3 class="centered"><svg onload=alert(1)></h3>
    <h5 id="counter">5</h5>
</div>

The example above should open up an alert box displaying 1.

What are the exploits?

A cross-site scripting vulnerability allows an attacker to modify the page.

A very good list of malicious payloads can be found here: http://www.xss-payloads.com/payloads.html

How can this be prevented?

As mentioned before, all user input should be escaped.

EdOverflow avatar Nov 26 '16 14:11 EdOverflow

Yes, this has been a known vulnerability, thanks for making the issue. I'll escape the input for now, but I'm planning to let Lock use a private API to obtain the message, instead of generating HTML.

kbrsh avatar Nov 26 '16 17:11 kbrsh