Summary
Reflected Cross-Site Scripting (XSS) vulnerability of txtdot allows remote attackers to inject arbitrary web scripts via the /proxy route.
Details
DOMPurify is used for the /get route:
|
const purify = DOMPurify(dom.window); |
|
output.content = purify.sanitize(dom.document.toString()); |
But not for the /proxy route:
|
fastify.get<IProxySchema>( |
|
'/proxy', |
|
{ schema: ProxySchema }, |
|
async (request, reply) => { |
|
const response = await axios.get(request.query.url); |
|
const mime: string | undefined = |
|
response.headers['content-type']?.toString(); |
|
const clen: string | undefined = |
|
response.headers['content-length']?.toString(); |
|
mime && reply.header('Content-Type', mime); |
|
clen && reply.header('Content-Length', Number(clen)); |
|
return reply.send(response.data); |
So it's possible to conduct reflected XSS attacks.
PoC
- Visit some other sites that use non-http-only cookies, e.g. https://txt.artegoser.ru/proxy?url=https://github.com.
- Visit the link provided by an attacker to see your cookie: https://txt.artegoser.ru/proxy?url=https://f7rl5sws.requestrepo.com
Impact
Attackers can inject arbitrary web scripts on txtdot website by fooling a victim into visiting a malicious link.
ouuan Finder
Summary
Reflected Cross-Site Scripting (XSS) vulnerability of txtdot allows remote attackers to inject arbitrary web scripts via the
/proxyroute.Details
DOMPurify is used for the
/getroute:txtdot/src/handlers/distributor.ts
Lines 69 to 70 in a7fdaf8
But not for the
/proxyroute:txtdot/src/routes/browser/proxy.ts
Lines 6 to 17 in a7fdaf8
So it's possible to conduct reflected XSS attacks.
PoC
Impact
Attackers can inject arbitrary web scripts on txtdot website by fooling a victim into visiting a malicious link.