dwitter icon indicating copy to clipboard operation
dwitter copied to clipboard
verified publisher icon lionleaf

Redirection vulnerability

Open imscary opened this issue 6 years ago • 5 comments

Like in #367 but combined with XSS. CSP doesn't block it. https://dweet.dwitter.net/id/13734 will redirect to Google

</script>
<script>
window.location.replace("http://www.google.com")
</script>
<script>

imscary avatar May 11 '19 14:05 imscary

Nice find!

However, this is taken care of by the iframe-src CSP. It doesn't work when you view the dweet in the feed or a normal dweet view: https://www.dwitter.net/d/13734 (at least in my browser)

dweet.dwitter.net is never meant to be viewed directly, so as long as it only affects direct viewing I don't think this is a problem in practice.

lionleaf avatar May 12 '19 15:05 lionleaf

Still can be used as a free redirection hosting from a https source. It can be used at creating phishing attacks.

imscary avatar May 12 '19 16:05 imscary

That's a fair point. It's not really a critical bug, but it's unfortunate that people can send real dwitter links that then redirects.

If there's a simple fix I'd be happy to implement it, but I'm not too worried.

lionleaf avatar May 18 '19 23:05 lionleaf

There are similar attacks on the same method. It would be better if we block dweets that contain </script> or javascript: or </SCRIPT> or //<</ That's what I did to golf512.dx.am because I allow external resources and it works perfect now.

imscary avatar May 19 '19 08:05 imscary

</script> isn't the problem here. Works just as well without it, you just need to make sure it doesn't start paused: https://dweet.dwitter.net/id/13998?autoplay=1

I'm skeptic of doing any sort of scanning of the dweet code, since javascript has so many ways to get around simple filters.

lionleaf avatar May 19 '19 17:05 lionleaf