2

So I noticed on a site I'm penetration testing that when you save your profile settings after changing them, one of the parameters in the POST request is avatar_url.

I realized that I could repeat the POST request and change this avatar_url to something like http://example.com/malicious.html and it put it in the code like this:

<span class="avatar-user user-avatar" data-name="e" style="background-image: url('http://example.com/malicious.html');"></span>

I also changed it to javascript:alert(1) and it again put it in the code like this:

<span class="avatar-user user-avatar" data-name="e" style="background-image: url('javascript:alert\(1\)');"></span>

It does indeed change the URL to this in the code, but it doesn't actually display that for the image. It seems to have some filter against displaying it. For the avatar image, it'll just show the first letter of your username.

Is there a way that this behavior could be exploited for RCE or XSS or some kind of code execution? It seems like a bad idea to accept any URL including ones with malicious files for the avatar URL but I guess it isn't if it doesn't parse it.

Anders
  • 64,406
  • 24
  • 178
  • 215
Jack
  • 471
  • 2
  • 6
  • 18
  • 1
    Can you escape from the CSS string, e.g. by using single quotes? However, you can't get XSS from a CSS expression in any modern browser. – Arminius Apr 02 '18 at 21:08
  • @Arminius unfortunately not, it filters those characters with /s – Jack Apr 03 '18 at 16:16

2 Answers2

5

Possibly. The response contains an URL inside CSS inside HTML. All three have different escaping regimes, and if the application's developer did not do escaping for one of these right, you might be able to sneak in an XSS one level beneath it. For example, what happens if the avatar URI ends in .../innocent.png')"><script src="malicious.js"></script> ?

You should also check for possible known vulnerabilities in the image rendering subsystem of your target browser. You're probably aware that serious issues have been discovered and fixed in JPEG, PNG, and GIF renderers of various browsers, but it is less known that many browsers also support using more exotic image formats such as SVG and TIFF for backgrounds. TIFF, in particular, is a highly extensible container format, with a rather broad potential attack surface.

dig
  • 355
  • 1
  • 6
  • 2
    Is your second paragraph saying 'or use a 0-day in the target browser.'? That seems a bit of a stretch. Though those wouldn't be known. So what does that paragraph mean? – Neil Smithline Apr 03 '18 at 03:36
  • 1
    Particularly in corporate settings, stale browsers are still fairly common. When pentesting such an environment, finding an old vulnerability that still works may sometimes be possible. – dig Apr 03 '18 at 03:40
  • Fair enough. Thx! – Neil Smithline Apr 03 '18 at 03:45
  • Thanks. This sadly didn't work in the situation but is a perfectly valid solution in a lot of cases so it's the answer! – Jack Apr 04 '18 at 00:16
0

Controlling the url of a resource, that is public to other users opens the doors for Cross Site Request Forgery (CSRF). This will not result in a security risk for your web application, but it will result in security risks for your users on other sites.

mad_manny
  • 207
  • 1
  • 6