Monday, April 12, 2021

CVE-2021-3163 - Stored XSS Slab Quill JS

 XSS in the WYSIWYG HTML editor by abusing the image tag.

 

For example, in the POST request when adding a comment, add this payload to the field with the comment text by using an interception proxy like BurpSuite:

 

<div><image src=validateNonExistantImage.png onloadstart=alert(1337)> hey girl hey </div>


Now the payload is stored on the page. When the next user visits, the XSS will execute.


This is a good example of why client side validation does not stop attackers who routinely bypass validation by interacting with APIs and server side endpoints directly.


https://github.com/quilljs/quill/issues/3273


I reported this to LinkedIn since they are using QuillJS, but they only have a private bug bounty program.


https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3163


NOTE: Though the CVE is marked as "disputed", it is a very basic stored XSS has been easily reproducible. They seemed to accept this explanation and remediation note in issue #3558, but as of September 2022, the issue is still open and there doesn't seem to be a security patch in place, so it's still exploitable. As explained here, in order to fix it, there needs to be server side sanitation in addition to the client side validation that they're already using:

https://github.com/quilljs/quill/issues/3558

More discussion here, where I comment as "burninatorsec2":

https://github.com/quilljs/quill/issues/3364


Posted by at
Labels: , , ,

6 comments:

  1. PeteXMay 11, 2021 at 9:57 AM

    Hi, I'm not sure I understand. Surely it's up to the server not to send HTML that hasn't been sanitised, or am I misunderstanding how this exploit works?

    ReplyDelete
    Replies
    1. LCMay 14, 2021 at 9:38 AM

      This comment has been removed by the author.

      Delete
    2. burninatorSeptember 19, 2021 at 4:00 PM

      Sorry about the late reply, I don't monitor this blog for comments, please DM on twitter @burninatorsec. Yes, there should be sanitization on both the server and the client in order to mitigate this.

      Delete
  2. LCMay 14, 2021 at 9:31 AM

    This comment has been removed by the author.

    ReplyDelete
  3. UnknownJune 4, 2021 at 1:22 PM

    Over in the Github, we have been unable to reproduce this. Could you provide more details as to the exact code and/or environment that you're using?

    ReplyDelete
    Replies
    1. burninatorSeptember 19, 2021 at 4:03 PM

      At the time, the client was using Quill 4.8.0. I should say I do not monitor this blog for communications, please DM me on twitter @burninatorsec.

      Delete

Subscribe to: Post Comments (Atom)