Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security Fix for Stored-XSS on "HiChat" - huntr.dev #28

Open
wants to merge 7 commits into
base: master
Choose a base branch
from
Open

Security Fix for Stored-XSS on "HiChat" - huntr.dev #28

wants to merge 7 commits into from

Conversation

huntr-helper
Copy link

https://huntr.dev/users/d3m0n-r00t has fixed the Stored-XSS on "HiChat" vulnerability 🔨. d3m0n-r00t has been awarded $25 for fixing the vulnerability through the huntr bug bounty program 💵. Think you could fix a vulnerability like this?

Get involved at https://huntr.dev/

Q | A
Version Affected | ALL
Bug Fix | YES
Original Pull Request | 418sec#1
Vulnerability README | https://github.com/418sec/huntr/blob/master/bounties/npm/hichat/1/README.md

User Comments:

📊 Metadata *

Bounty URL: https://www.huntr.dev/bounties/1-npm-hichat

⚙️ Description *

The HiChat application is a simple chat for small teams which is based on a small server which helps to track messages sent by various users. The project presents a stored XSS issue which could lead to session stealing or HTML/JS injection in a permanent way, until the victim leaves the chat room.
Fixed the stored xss using the sanitize-html module to filter out html tags from the input.
https://www.npmjs.com/package/sanitize-html

💻 Technical Description *

Sanitize-html is a simple sanitizer module, to filter out html tags and sanitize input.

🐛 Proof of Concept (PoC) *

  1. Download the project locally
  2. Run npm i
  3. Run node server
  4. Go on http://localhost:3000
  5. Join the chat room and set your username as test"><img/src="x"/onerror="alert(document.domain)">
  6. Open an anonymous tab and join the chatroom as another user (simulating the victim who joins the same chat room of the attacker)
  7. When the attacker sends any message, the username is insecurely reflected and JS injected
  8. XSS popped !!!
    hichatpoc

🔥 Proof of Fix (PoF) *

Added sanitize-html to sanitize the input and filter out html tags to avoid injecting xss payloads into the nickname field as well as the message field. There is no xss after sanitization.
hichatpof

👍 User Acceptance Testing (UAT)

The application runs smoothly after the fix, and no more xss. Can now send and receive messages without worrying about xss or data leakage.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@huntr-helper @d3m0n-r00t @JamieSlome