[Security] XSS on usernames

Question

[Security] XSS on usernames

Mickael-van-der-Beek opened this issue 11 years ago · 1 comments

Mickael-van-der-Beek commented 11 years ago

I tried to contact the repository owner but didn't get an answer so I thought I would post the issue here just in case one of the many contributors would be able to fix this.

There's a very simple but equally dangerous XSS attack vector on the application's usernames.

To reproduce the issue, follow these steps:

create a user who's username is something like: <script>alert(1)</script>
connect as a moderator / admin
browse to the user list
you'll get an alert with the message 1

This could lead to CSRF attacks and compromise moderator / admin accounts.

I'm sure there are numerous other ways to pass XSS attacks in Calipso since there is not input sanitisation or escaping.

I'd recommend using libraries like the excellent:

DOMPurify https://github.com/cure53/DOMPurify

or

Google Caja https://code.google.com/p/google-caja/

Using Anti-CSRF tokens might also be a good idea.
I know that Express has some good middlewares for this exact purpose.

Answer 1 · 2014-04-03T00:07:58.000Z

Ah yes, we need to fix that. Sorry things are slow right now, I am trying to catch up with too many things.
I'll take a look
Andy

On Apr 2, 2014, at 7:32 PM, Mickael van der Beek notifications@github.com wrote:

I tried to contact the repository owner but didn't get an answer so I thought I would post the issue here just in case one of the many contributors could fix this.

There's a very simple but equally dangerous XSS attack vector on the application's usernames.

To reproduce, follow these steps:

create a user who's username is something like: <script>alert(1)</script>
connect as a moderator / admin
browser to the user list
you'll get an alert with the message 1
This could lead to CSRF attacks and compromise moderator / admin accounts.

I'm sure there are numerous other ways to pass XSS attacks in Calipso since there is not input sanitisation or escaping.

I'd recommend using libraries like the excellent:

DOMPurify https://github.com/cure53/DOMPurify
or

Google Caja https://code.google.com/p/google-caja/
—
Reply to this email directly or view it on GitHub.