Juice-shop: [โญ] html/5 Injection

Created on 11 May 2020  ยท  7Comments  ยท  Source: bkimminich/juice-shop

:star: Challenge idea HTML injection

Description

the idea is to make a challenge to find an injection html vulnerability

Underlying vulnerability/ies

HTML5 element and "srcset" attributes

this type of flaw is to simulate XSS or XXE but it focuses on vulnerabilities in HTML resources.

Expected difficulty

low or medium.

Possible attack flow

this failure can be combined with A3, A4 and A10 to become something serious.

References

https://www.acunetix.com/vulnerabilities/web/html-injection/
https://www.utep.edu/information-resources/iso/security-awareness/technical-security-resources/what-is-html-injection.html
https://deadliestwebattacks.com/html-injection-quick-reference/
https://html5sec.org/
https://www.hackingarticles.in/beginner-guide-html-injection/

challenge missing information

All 7 comments

Thanks a lot for opening your first issue with us! ๐Ÿงก We'll get back to you shortly! โณ If it was a _Support Request_, please consider asking on the community chat next time! ๐Ÿ’ฌ

Thanks for the challenge proposal and the references! ๐Ÿ‘ Do you have an idea where this could actually be put in the application (in a reasonably realistic way)?

PS: You don't like our "First Issue" auto-reply action? ๐Ÿ˜€

Thanks for the challenge proposal and the references! Do you have an idea where this could actually be put in the application (in a reasonably realistic way)?

PS: You don't like our "First Issue" auto-reply action?

eu pensei em algo, como um XSS with DOM. injection in search bar. after response, to view source code html injection.

xss

Just a possible solution, though, I am not sure it would be worth it the effort. Essentially, there could be HTML Injection via emails. This could be done by having a "share" functionality of a food item where a user could share an item to a peer. This "share" button would open up a modal form which the user then could add their peers email address. When the user submits the form, it will send a POST request with a property called itemUrl or similar. This property would have a value of <a href="urlOfItem">Check out this Juice Shop Item!</a> which would be appended to the email body of the message being sent (server side). This request could be intercepted and modified by an attacker to update the body of the email and update the URL, appending images, etc.

This would require email functionality like Nodemailer. Additional env vars or properties would need to be supplied to send the email like the address itself and the email app password.

My only concern would be the possible abuse of sending emails via the demo site. This could be remediated by having a feature switch for sharing items. People utilizing Juice Shop would need to enable the switch manually on top of supplying the required properties to Nodemailer.

Thanks for the challenge proposal and the references! Do you have an idea where this could actually be put in the application (in a reasonably realistic way)?

PS: You don't like our "First Issue" auto-reply action?

there are many possibilities.

html4 - text, html5 - input / output, html5 - storage.

:star: Challenge idea ( HTML4 )

Type - text

Description

  • change text modify response text, to something less user friendly.

Underlying vulnerability/ies

unnecessary

Expected difficulty

| :heavy_check_mark: / :x: | Difficulty |
|:------------------------:|:-------------------------------------|
| :heavy_check_mark: | :star: |
| :heavy_check_mark: | :star::star: |
| :grey_question: | :star::star::star: |
| :grey_question: | :star::star::star::star: |
| :grey_question: | :star::star::star::star::star: |
| :grey_question: | :star::star::star::star::star::star: |

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

:star::star: Challenge idea ( HTML5 )

Type - input

Description

  • modify input containing mask to allow XSS / Html injection attacks.
    -- for example you can modify the feedback field the login inputs.

Underlying vulnerability/ies

unnecessary

Expected difficulty

| :heavy_check_mark: / :x: | Difficulty |
|:------------------------:|:-------------------------------------|
| :grey_question: | :star: |
| :heavy_check_mark: | :star::star: |
| :heavy_check_mark: | :star::star::star: |
| :grey_question: | :star::star::star::star: |
| :grey_question: | :star::star::star::star::star: |
| :grey_question: | :star::star::star::star::star::star: |

=================================================================================

:star::star::star: Challenge idea ( HTML5 )v2

*Type - Storage *

Description

Copies data from the user's session using log storage tags, later the data can be revealed in order to solve the challenge.

Underlying vulnerability/ies

unnecessary

Expected difficulty

| :heavy_check_mark: / :x: | Difficulty |
|:------------------------:|:-------------------------------------|
| :grey_question: | :star: |
| :grey_question: | :star::star: |
| :heavy_check_mark: | :star::star::star: |
| :heavy_check_mark: | :star::star::star::star: |
| :grey_question: | :star::star::star::star::star: |
| :grey_question: | :star::star::star::star::star::star: |

=================================================================================

@bkimminich sorry for to late.

I'm the very busy, but I Believe the description above, you can help, to make a new challenge.

@GraoMelo Thanks for your challenge ideas! I'm not entirely sure they would bring anything new that isn't already covered by one of the existing XSS challenges.

@Whamo12 The email attack avenue would be a nice novelty, and we for sure would give this challenge the "Danger Zone" tag and disable the entire mailing functionality in Docker/Heroku environments by default. I'm a bit sceptical about the need for the user to configure the nodemailer endpoint for themselves, because that adds complexity at startup or somewhere in the application which might confuse especially new users.

I'm a bit skeptical about the need for the user to configure the nodemailer endpoint for themselves, because that adds complexity at startup or somewhere in the application which might confuse especially new users.

I agree, which explains my hesitation to share this idea but as this ticket was open I figured it was worth at least mentioning it.

Nodemailer requires the following configuration to create a SMTP transport object.

    // Create a SMTP transporter object
    let transporter = nodemailer.createTransport({
        host: account.smtp.host,
        port: account.smtp.port,
        secure: account.smtp.secure,
        auth: {
            user: account.user,
            pass: account.pass
        }
    });

An alternative to using a real email account, there is a service called Ethereal which is an "anti-transactional email service where messages never get delivered" (Looks to be built specifically for Nodemailer). This could be used to preview emails and not actually send them which could work with validating HTML injection via the email body. However, an account would need to be created in order to use it.

Was this page helpful?
0 / 5 - 0 ratings

Related issues

bkimminich picture bkimminich  ยท  4Comments

junathanadi picture junathanadi  ยท  3Comments

sushi2k picture sushi2k  ยท  5Comments

bkimminich picture bkimminich  ยท  6Comments

cnotin picture cnotin  ยท  5Comments