Liberapay: Cross site scripting (content-sniffing)

ID H1:363845
Type hackerone
Reporter said778
Modified 2018-06-10T09:25:13


This type of XSS can only be triggered on (and affects) content sniffing browsers.

This script is possibly vulnerable to Cross Site Scripting (XSS) attacks.

This vulnerability affects /sign-up URL encoded POST input sign-in.currency was set to USD<WDILR9>G8OAI[!+!]</WDILR9> The input is reflected inside a text element

put this URL

now put

csrf_token=oiCrDqa91GRS4YBFb4jzZQzpgxSZN38I & form.repost=false&sign-in.back-to=/about/me/edit & sign-in.currency=USD<WDILR9>G8OAI%5b%21%2b%21%5d</WDILR9> &

you will see the email sent and that is allowing the attacker to access any cookies or session tokens retained by the browser.


HTTP/1.1 400 Bad Request Content-Type: application/json; charset=UTF-8 Content-Length: 196 Connection: keep-alive X-Xss-Protection: 1; mode=block Content-Security-Policy: default-src 'self';connect-src 'self' *;form-action 'self';img-src * blob: data:;object-src 'none';report-uri;upgrade-insecure-requests; Cache-Control: no-cache X-Frame-Options: SAMEORIGIN Referrer-Policy: strict-origin-when-cross-origin Set-Cookie: csrf_token=oiCrDqa91GRS4YBFb4jzZQzpgxSZN38I;; expires=Sun, 17 Jun 2018 00:42:27 GMT; Path=/; SameSite=lax; secure Strict-Transport-Security: max-age=31536000; includeSubDomains; preload X-Content-Type-Options: nosniff Expect-CT: max-age=604800, report-uri="" Server: cloudflare CF-RAY: 4287cc50ea852744-FRA


Cross site scripting (also referred to as XSS) is a vulnerability that allows an attacker to send malicious code (usually in the form of Javascript) to another user. Because a browser cannot know if the script should be trusted or not, it will execute the script in the user context allowing the attacker to access any cookies or session tokens retained by the browser.