Epic Games : Multiple File upload XSS in Website builder theme section on art station

-

Company Information : 


Epic Games, Inc. is an American video game and software developer and publisher based in Cary, North Carolina. The company was founded by Tim Sweeney as Potomac Computer Systems in 1991, originally located in his parents' house in Potomac, Maryland.



Bug Category : 

File Upload XSS : 

https://infosecwriteups.com/all-about-file-upload-xss-c72c797aaba3



Target  Information : 

https://www.artstation.com


Technical Details of the Bug : 

In the website builder you can customise theme for your website. all the Image upload options in theme edit sections are vulnerable to File Upload XSS attack. Below are the vulnerable injection points. 1.Design -- > Logo image(All themes) 2.Design -- > Homepage settings -- > add image(bombastic theme) 3.Design -- > Background Images(Electric )


Vulnerable HTTP Request :

1.Upload Logo :

PATCH /myartstation/theme_customizer/update_settings.json HTTP/1.1 2Host: www.artstation.com 3Cookie: cookies 4User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:94.0) Gecko/20100101 Firefox/94.0 5Accept: application/json, text/plain, */* 6Accept-Language: en-US,en;q=0.5 7Accept-Encoding: gzip, deflate 8X-Csrf-Token: 9Content-Type: application/json;charset=utf-8 10Public-Csrf-Token: 11Content-Length: 150105 12Origin: https://www.artstation.com 13Referer: https://www.artstation.com/myartstation/theme_customizer 14Sec-Fetch-Dest: empty 15Sec-Fetch-Mode: cors 16Sec-Fetch-Site: same-origin 17Te: trailers 18Connection: close 19 20{"settings":{"select.title_font":"Open Sans","select.body_font":"Open Sans","select.color_scheme":"dark","color.link-color":"#13aff0","color.border-color":"#383838","color.subtitle-color":"#f1f1f1","color.site-title-color":"#ffffff","color.page-title-color":"#ffffff","color.body-bg":"#171717","color.body-color":"#bbbbbb","color.header-bg":"#000000","color.footer-bg":"#222222","color.nav-album-bg":"#222222","color.footer-text-color":"#bbbbbb","select.home_page_elements_height":"270","number.custom_home_page_elements_height":270,"switch.show_albums":true,"select.project_view":"above","radio.album_grid":"square","text.legal":"© All rights reserved","switch.show_share_icons":true,"switch.footer_artstation":true,"switch.footer_facebook":true,"switch.footer_linkedin":true,"switch.footer_twitter":true,"switch.footer_instagram":true,"select.social_icons_style":"solid","select.social_icons_frame":"circle","select.social_icons_color":"colors","css.css":"';","css_style.site_title":{"size":42,"weight":"900","letter-spacing":1},"css_style.site_tagline":{"size":20,"weight":"400","letter-spacing":0},"css_style.body_text":{"size":16,"weight":"400","letter-spacing":0},"css_style.footer_text":{"size":14,"weight":"400","letter-spacing":0},"collection.entity.home_page_images.default":{"image":""},"collection.entity.home_page_images.1636200729181":{},"image.logo":{"base64":"data:image/jpeg;base64,image_data_in_base_64","filename":"exiftest2.jpg"}}}


2.Upload Homepage Image :

PATCH /myartstation/theme_customizer/update_settings.json HTTP/1.1 2Host: www.artstation.com 3Cookie: Cookies 4User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:94.0) Gecko/20100101 Firefox/94.0 5Accept: application/json, text/plain, */* 6Accept-Language: en-US,en;q=0.5 7Accept-Encoding: gzip, deflate 8X-Csrf-Token: 9Content-Type: application/json;charset=utf-8 10Public-Csrf-Token: 11Content-Length: 150110 12Origin: https://www.artstation.com 13Referer: https://www.artstation.com/myartstation/theme_customizer 14Sec-Fetch-Dest: empty 15Sec-Fetch-Mode: cors 16Sec-Fetch-Site: same-origin 17Te: trailers 18Connection: close 19 20{"settings":{"select.title_font":"Open Sans","select.body_font":"Open Sans","select.color_scheme":"dark","color.link-color":"#13aff0","color.border-color":"#383838","color.subtitle-color":"#f1f1f1","color.site-title-color":"#ffffff","color.page-title-color":"#ffffff","color.body-bg":"#171717","color.body-color":"#bbbbbb","color.header-bg":"#000000","color.footer-bg":"#222222","color.nav-album-bg":"#222222","color.footer-text-color":"#bbbbbb","select.home_page_elements_height":"270","number.custom_home_page_elements_height":270,"switch.show_albums":true,"select.project_view":"above","radio.album_grid":"square","text.legal":"© All rights reserved","switch.show_share_icons":true,"switch.footer_artstation":true,"switch.footer_facebook":true,"switch.footer_linkedin":true,"switch.footer_twitter":true,"switch.footer_instagram":true,"select.social_icons_style":"solid","select.social_icons_frame":"circle","select.social_icons_color":"colors","css.css":"","css_style.site_title":{"size":42,"weight":"900","letter-spacing":1},"css_style.site_tagline":{"size":20,"weight":"400","letter-spacing":0},"css_style.body_text":{"size":16,"weight":"400","letter-spacing":0},"css_style.footer_text":{"size":14,"weight":"400","letter-spacing":0},"collection.entity.home_page_images.default":{"image":null,"base64":"data:image/jpeg;base64,image_data_in_base_64","filename":"exiftest2.jpg"},"collection.entity.home_page_images.1636200729181":{},"image.logo":null}}


Vulnerable Parameter :

filename : Change the jpg extension to html extension and it will be saved as a HTML file.

Steps to reproduce :

1.Login from victim account and go to website builder -- > Edit theme. 2.Now go to design -- > Logo section.(This is one of the section. There are other more sections which are vulnerable ) 3.Now upload logo image with Exif Data as a XSS payload.(I am attaching a image file with Exif data containing javascript in the attachments) 4.Now intercept the request and it would look something like above mentioned request. 5.In the filename parameter Change the jpg extension to html extension and it will be saved as a HTML file. 6.Now in the response you can get the html uploaded file URL and run it on the other browser. 7.XSS will be triggered. 8.You can try other injection points with the same method.
Video POC :




Timeline : 



Nov 06th 2021: Report send to Epic Games Security Team through Hackerone.

Nov 09th 2021: Report Accepted and Triaged.

Dec 03th 2021: Complete issue was resolved and confirmed.

July 01th 2022: 1500$ Bounty Rewarded


Comments

Post a Comment

Popular posts from this blog

Account Takeover Apple App Store Connect Account of Any user and Steal Developer API/Subscription Keys of any user(CORS+XSS) worth 8500$

-
Image
Company Information :  Apple Inc. is an American multinational technology company headquartered in Cupertino, California. As of March 2023, Apple is the world's biggest company by market capitalization, and with US$394.3 billion the largest technology company by 2022 revenue. Bug Category :  Cross-origin resource sharing (CORS) : Cross-origin resource sharing (CORS) is a mechanism that allows restricted resources on a web page to be accessed from another domain outside the domain from which the first resource was served. A web page may freely embed cross-origin images, stylesheets, scripts, iframes, and videos. Stored Cross-site-scripting (XSS) : Cross-site scripting (XSS) is an attack in which an attacker injects malicious executable scripts into the code of a trusted application or website. Attackers often initiate an XSS attack by sending a malicious link to a user and enticing the user to click it. Impact : 1.Stealing  App Store connect API key with Full Access , Subs...
Read more

Amazon Web Services : Takeover Workbook and delete the Owner on https://builder.honeycode.aws by collaborator user (IDOR) worth 7200$

-
Image
  Company Information :  Amazon Web Services, Inc. is a subsidiary of Amazon that provides on-demand cloud computing platforms and APIs to individuals, companies, and governments, on a metered, pay-as-you-go basis. Clients will often use this in combination with autoscaling. Bug Category :  Insecure direct object reference(IDOR ) :  Insecure direct object reference is a type of access control vulnerability in digital security. This can occur when a web application or application programming interface uses an identifier for direct access to an object in an internal database but does not check for access control or authentication. Target  Information :  https://builder.honeycode.aws/ Technical Details of the Bug :  On https://builder.honeycode.aws you can add workbook and add users as collaborator. collaborator have limited access to the functionalities and sharing part. But there is a way which can lead to collaborator to demote the owner , remove him ...
Read more

UnAuth Access to Twitter Private Tweets and messages Media Content Access(IDOR)

-
Image
Company Info : Twitter is an online news and social networking service where users post and interact with messages, "tweets", restricted to 140 characters. Registered users can post tweets, but those who are unregistered can only read them. Users access Twitter through its website interface, SMS or a mobile device app.Twitter Inc. is based in San Francisco, California, United States, and has more than 25 offices around the world. Bug category : Indirect Object Reference(IDOR) Link : https://www.owasp.org/index.php/Top_10_2013-A4-Insecure_Direct_Object_References Technical Details of the Bug :  Applications frequently use the actual name or key of an object when generating web pages. Applications don’t always verify the user is authorized for the target object. This results in an insecure direct object reference flaw. Testers can easily manipulate parameter values to detect such flaws. Code analysis quickly shows whether authorization is properly verified. Bug Des...
Read more