TEMPLATE

By submitting this document, you accept to have read and consent to the Jobber Bug Bounty Program Terms and Conditions

Title

A brief one line description of the issue.

Stored Cross-Site scripting vulnerability in ‘Update Profile Picture’ functionality

Issue Description

A detailed description of the issue along with the definition of the vulnerability type with all possible relevant details.

Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user.

The consultant identified that the update profile picture is vulnerable to cross site scripting, it is possible to upload an image with a MIME type of `text/html` this is then stored on the user's profile as an XSS payload, the outline below demonstrates the steps taken to exploit and reproduce.

Affected URL/Area

The affected URLs or area of the application where the issue exists.

Risk Rating

Steps to reproduce/PoC

A clear outline of the steps required to reproduce the issue along with appropriate evidence (screenshots, request/response body etc.)

  1. The following steps indicate a proof of concept outlined in three(3) steps to reproduce and execute the issue.
  2. Navigate to https://example.com/update-profile and select edit as shown in screenshot attached labelled step1.jpg.
  3. Modify the profile image request with a local proxy, in this case the consultant is using Burp Suite. Change the Content-Type from image to text/html as shown in the post request:
  4. POST /file/upload/ HTTP/1.1
    Host: example.com
    ---snip----
    -----------------------------900627130554
    Content-Disposition: form-data;
    name="stored_XSS.jpg"; filename="stored_XSS.jpg" Content-Type: text/html
    <script>alert('JobberBugBounty')</script>
    -----------------------------900627130554
  5. When this is sent, the following response is shown:
  6. HTTP/1.1 200 OK
    Date: Sat, 13 Aug 2016 14:31:44 GMT
    ---snip---
    {"url":"https://example.com/ 56fc3b92159006271305543ef45a04452e8e45ce4/ stored_XSS.jpg?Expires=1465669904&Signature =dNtl1PzWV&Key-Pair-Id=APKAJQWLJPIV25LBZGAQ", "pk":"56fc3b92159006271305543ef45a04452e8e45ce4 /stored_XSS.jpg", "success": true}
  7. The file has been uploaded to Application X and is hyperlinked to from the profile page as shown in step 3.jpg. By simply following the link to the image which in this case is:
  8. https://example.com/56fc3b92159006271305543ef45a04452e8e45ce4/stored_XSS.jpg

Expected Result

The normal outcome of the steps to reproduce outlined above

The payload should be executed and should treat it as a normal string

Observed Result

The abnormal output due to the presence of the vulnerability

The payload is executed as shown in attached screenshot labelled step3.jpg, thus this demonstrates the issue is stored cross site scripting.

Browsers verified in

Affected Demographic/User Base

Explain who this issue affects? Is it everyone or just a select amount of users?

Recommendations

How do you fix the issue? What are the recommended remediation actions required to successfully fix the issue?

Tools Used

List of Pertinent applications, programs or tools used to discover the issue

Testing Details

Date and time testing took place & IP address at time of testing.

References

For more information on remediation steps check out reference [2]