๐ HackerOne: Potential stored Cross-Site Scripting vulnerability in Support Backend
๐ก Newskategorie: Sicherheitslรผcken
๐ Quelle: vulners.com
HackerOne maintains an internal Support Backend system for employees. On the internal user profiles for hackers, a small overview is shown that lists the skills the user tagged their penetration tester profile with. Although the skills are currently managed by HackerOne and a user can only pick skills from a list, an XSS payload can be injected in the skill name to execute JavaScript in the backend system. In case we would allow penetration testers to enter their own skills in a free-form text format, it could lead to a stored Cross-Site Scripting vulnerability that is exploited by people outside of HackerOne. Proof of concept To reproduce, make sure your local environment is set up correctly by running the following code: ruby Skill.create! name: '<script>alert(/XSS/);</script>' User.find_by!(username: 'hacker').update! h1_pentester: true Next, authenticate as the hacker user and enable the pentester-profile feature. Go to http://localhost:8080/settings/pentests and create a penetration tester profile with the skill that was created earlier. When the profile is created successfully, sign in to the Support Backend at http://localhost:8080/support and navigate to http://localhost:8080/support/users/hacker. The XSS payload injected in the skill name will be executed. โโโโ Root cause The following code leads to two Cross-Site Scripting vulnerabilities: lib/support/app/controllers/support/tables/columns/pentester_profile_skills.rb ```ruby def render(record) return unless... ...