TTP-02-001 WP1: XSS in TorConnect's captive portal (Info)

Description:

TorConnect's captive portal performs a redirect to a URL that is retrieved from the redirect parameter located in the query string. No validations are performed to guarantee that the scheme of the URL is valid before having it used in the redirection. Note that the next step is performed after the user successfully connects to TOR.

Fortunately, arbitrary JavaScript execution is prevented due to the strict CSP policy that is applied to the about:torconnect page. Hence, the severity has appropriately been set at Info only.

Affected file:

browser/components/torconnect/content/aboutTorConnect.js

Affected code:

async init() {
  // see if a user has a final destination after bootstrapping
  let params = new URLSearchParams(new URL(document.location.href).search);
  if (params.has("redirect")) {
    const encodedRedirect = params.get("redirect");
    this.redirect = decodeURIComponent(enodedRedirect);
  } else {
    // if the user gets here manually or via the button in the urlbar
    // then we will redirect to about:tor
    this.redirect = "about:tor";
  }[...]
}

Steps to reproduce:

1. Open the Tor Browser and access about:torconnect?redirect=javascript:alert(document.domain);
2. Click on Connect and check the DevTools to verify that JavaScript execution was prevented by CSP.

To mitigate this issue, Cure53 advises validating the scheme of the URL from the redirect parameter, and verifying it against an allow-list of safe schemes.