Quora: XSS when clicking "Share to Twitter" at quora.com/widgets/embed_iframe?path=...

2017-08-11T09:00:04
ID H1:258876
Type hackerone
Reporter stefanofinding
Modified 2018-01-11T19:59:23

Description

Summary: The endpoint at https://{language}.quora.com/widgets/embed_iframe?path={path_to_answer_in_same_language} shows the answer you specify in path (like /Question/answer/User) in a format useful to embed. There is one button Share that when clicked shows another button Share to Twitter. The href attribute of this last button is of the format javascript: window.open("https://twitter.com/intent/tweet?text=Answer on @Quora by @User to Question? http://qr.ae/nnnn", "Share Answer to Twitter", "width=600, height=250"). The problem is that you can create a question with " (quotes) and inject Javascript code that is going to be executed when the user clicks Share to Twitter.

Description (Include Impact): It requires user interaction, but it works.

Steps To Reproduce

  1. Go to https://www.quora.com/
  2. Click on Ask Question
  3. Enter a valid question which includes "-alert(document.domain)-" somewhere. I entered Question ignore "-alert(document.domain)-"? and it was accepted as valid
  4. Now you may be in the page of the question you just asked
  5. Click on Answer
  6. Enter anything
  7. Click on Submit
  8. Copy the path from the address bar. Mine was /Question-ignore-alert-document-domain/answer/Cuenta-Para-Probar
  9. Go to https://www.quora.com/widgets/embed_iframe?path={path_from_last_step}. Mine is https://www.quora.com/widgets/embed_iframe?path=/Question-ignore-alert-document-domain/answer/Cuenta-Para-Probar
  10. Click on Share
  11. Click on Share to Twitter
  12. alert(document.domain) is executed

Optional: Your Environment (Browser version, Device, app version, os version etc)

  • It is not browser dependent. Anyway, I tested it on Firefox, Chrome and Safari for Mac.

Optional: Supporting Material/References (Screenshots)

  • I don't think is necessary, but let me know if you need something else.