Imgur: XSS via React element spoofing

ID H1:124277
Type hackerone
Reporter jouko
Modified 2016-03-23T23:11:47


Hello, I noticed an XSS on imgur. Proof of concept: visit the URL[props][dangerouslySetInnerHTML][__html]=%3Cimg%20src=a%20onerror=%22alert(%27XSS%20on%20%27%2bdocument.domain)%22%3E&error[_isReactElement]=true&error[type]=body

It's not the simplest case as it requires some React magic. There is a good explanation of this type of vulnerabilities at . Corresponding H1 report: .

The impact is as usual. The attacker could execute operations on behalf of the victim who visits a malicious link, or access e.g. the session cookie (IMGURSESSION).

I haven't yet checked if this the only such occurrence on Imgur.