Loading HuntDB...
Hunt
Vulnerability Intelligence by wss.sh
Home Daily Briefings High Impact CVEs Recent Exploits KEV Catalog GitHub Advisories Latest Updates Security News
Sign In Sign Up

Cross-site scripting on algorithm collaborator

High
Q
Quantopian
Submitted None
Actions:
View on HackerOne
Reported by irisrumtub

Vulnerability Details

Technical details and impact analysis

Cross-site Scripting (XSS) - Stored
Hi again my favorite VDP team. I bring you 8th bug and 4th cross-site scripting. Currently trying to upload python code via self-serve data, not looking for XSS'es only, but they're a thing still, right? **Summary:** By sending specially crafted websockets request attacker can run javascript in algorithm collaborator's web browser **Description:** This is actually quite a funny bug. Some time ago when I was testing algo debugger, i noticed that there is a request to */algorithms/algoid/x* which usually happens when i try to insert html's <img src=x>. But since some time your cloudflare became more strict and adding inline scripts in request might result in 403 Forbidden, so i remove them and try without them. But at that time i couldn't find the image that caused that request. I sent that to Chris. Today i was trying to test against debugger again. The purpose wasn't to find XSS, but i spammed XSS payloads alongside with some different stuff. And again that request to page *X*. And i noticed that debugger removed part of my payload which contained image. That's it! That should be the vulnerable place. However typing html entity in it didn't produce anything. And html was injected only on my side, not the other collaborator's. So i decided to take a look at the websocket request that sends it It turned out that HTML's <> and other entities were encoded. So i tried intercepting the websockets request and enter <img src=x onerror=alert(1)> and it worked not only on me, but on collaborator as well. So is it TogetherJS library that is in charge of websockets? I think you might need to encode payloads server-side to avoid this kind of things. I would be glad to help you test the fix for this. ## Steps To Reproduce: 1. Intercept websockets message like this (debugger input update) {F509648} 2. Replace value with raw html/javascript 3. Send the message. Payload will work in collaborator's browser ## Test account information [email protected] [email protected] ## Impact Run javascript in victim's browser

Report Details

Additional information and metadata

State

Closed

Substate

Resolved

Bounty

$2100.00

Submitted

Weakness

Cross-site Scripting (XSS) - Stored