TEMPLATE

By submitting this document, you accept to have read and consent to the Jobber Bug Bounty Program Terms and Conditions

Title

A brief one line description of the issue.

Stored Cross-Site scripting vulnerability in ‘Update Profile Picture’ functionality

Issue Description

A detailed description of the issue along with the definition of the vulnerability type with all possible relevant details.

Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user.

The consultant identified that the update profile picture is vulnerable to cross site scripting, it is possible to upload an image with a MIME type of `text/html` this is then stored on the user's profile as an XSS payload, the outline below demonstrates the steps taken to exploit and reproduce.

Affected URL/Area

The affected URLs or area of the application where the issue exists.

https://example.com/update-profile
https://example.com/file/upload

Risk Rating

Likelihood: Critical (Pick from Critical/High/Medium/Low)
Impact: Critical (Pick from Critical/High/Medium/Low)
CVSS2 Score: 7.9 [(AV:N/AC:M/Au:S/C:C/I:C/A:N)](https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector= (AV:N/AC:M/Au:S/C:C/I:C/A:N))
Authenticated: Yes/No

Steps to reproduce/PoC

A clear outline of the steps required to reproduce the issue along with appropriate evidence (screenshots, request/response body etc.)

The following steps indicate a proof of concept outlined in three(3) steps to reproduce and execute the issue.
Navigate to https://example.com/update-profile and select edit as shown in screenshot attached labelled step1.jpg.
Modify the profile image request with a local proxy, in this case the consultant is using Burp Suite. Change the Content-Type from image to text/html as shown in the post request:


POST /file/upload/ HTTP/1.1

Host: example.com

---snip----

-----------------------------900627130554

Content-Disposition: form-data; 

name="stored_XSS.jpg"; filename="stored_XSS.jpg" Content-Type: text/html

<script>alert('JobberBugBounty')</script> 

-----------------------------900627130554

When this is sent, the following response is shown:


HTTP/1.1 200 OK

Date: Sat, 13 Aug 2016 14:31:44 GMT

---snip---

{"url":"https://example.com/
56fc3b92159006271305543ef45a04452e8e45ce4/
stored_XSS.jpg?Expires=1465669904&Signature
=dNtl1PzWV&Key-Pair-Id=APKAJQWLJPIV25LBZGAQ",
"pk":"56fc3b92159006271305543ef45a04452e8e45ce4
/stored_XSS.jpg", "success": true}

The file has been uploaded to Application X and is hyperlinked to from the profile page as shown in step 3.jpg. By simply following the link to the image which in this case is:


https://example.com/56fc3b92159006271305543ef45a04452e8e45ce4/stored_XSS.jpg

Expected Result

The normal outcome of the steps to reproduce outlined above

The payload should be executed and should treat it as a normal string

Observed Result

The abnormal output due to the presence of the vulnerability

The payload is executed as shown in attached screenshot labelled step3.jpg, thus this demonstrates the issue is stored cross site scripting.

Browsers verified in

Google Chrome: version 91.0.4472.165
visit chrome://version/
Mozilla Firefox: Firefox 52.6.0esr
top-right menu icon → ? "Help" → "About Firefox"
Microsoft Internet Explorer: IE9
top-right cog → "About Internet Explorer"
Microsoft Edge: 92.0.902.84
… → "Settings" → scroll down

Affected Demographic/User Base

Explain who this issue affects? Is it everyone or just a select amount of users?

This issue will affect all users on the site who view the profile of the attacker, when the image is rendered the payload is executed instead of a profile image. Additionally, when the malicious user posts anything on the forums the payload will execute.

Recommendations

How do you fix the issue? What are the recommended remediation actions required to successfully fix the issue?

Ensure that file upload checks the MIME type of content being uploaded, for additional security implement server side content checking to ensure file headers match that of the file extension. Additionally, make sure that all user input is treated as dangerous do not render any HTML tags.

Tools Used

List of Pertinent applications, programs or tools used to discover the issue

BurpSuite - Request Response inspection
Nmap - Network discovery

Testing Details

Date and time testing took place & IP address at time of testing.

Sep 12, 2021 to Sep 15, 2021
152.43.122.22

References

For more information on remediation steps check out reference [2]