Bug Bounty Stories #3: Docstring Injection to XSS
Let’s see how I found and exploited an interesting docstring injection issue! I will take you through all the pitfalls and adventures I had!
The Start
I was developing a production-grade API and was 16 weeks straight into it! It was quite tiring. Plus the frontend drama of updating my APIs due to change in the designs and the views was quite a pain!
And as the work started to become burden I thought to find something engaging to keep me motivated! Deep down, in my mind, I wanted to find some cool bug, had been missing pentesting days quite a lot. So I planned to invest my full weekend into pentesting!
As soon as the weekend was approaching, I was getting quite excited. It was Friday evening and I was just wrapping up my API code and suddenly I noticed something weird… I saw my docstring comments getting interpreted as active content! I was able to load any HTML and CSS content specified in the comments. That seemed quite interesting and the next step was obviously to see if I can perform an XSS there. And on top of that, it was an electon app!
When I hear electron, I get excited because electron just means that my XSS could potentially turn into an RCE! And if just viewing a bening looking comment can become an RCE, then that’s quite interesting right ;)
So I knew what I had to do on the weekend!
Me, Weekend and Docstring Injection
So the weekend came and I was pretty excited to drive this issue forward to a potential XSS so I can in turn convert this to RCE if possible!
And hastily I crafted a simple looking XSS payload and put it in the docstring and bam… nothing happened :/
And since it was not the browser, I couldn’t even see the console logs :(
Now? Code dive? No that’s too tedious. Then?
I turned onto my friend — Google — and looked up on how I can see the console messages and indeed I found the answers I was looking for!
So now I had ability to view console log messages. I tried my XSS payload again and found that it was being blocked due to a CSP (Content Security Policy)!!!
That was quite reassuring though. Atleast I am 1 step ahead and managed to confirm XSS can happen (if I bypass CSP ofcourse!)
So now my goal was to bypass the CSP policy and then I have XSS on the code editor! I looked at the CSP carefully and having a lot of experience in breaking CSP policies, I was sure I can definitely find a way to break this one too…
I looked and looked and looked but found nothing sadly…
The CSP looked pretty secure — no unsafe inline, use of nonces that update and are pretty random, looked quite big and non-bruteforcable!
Now I felt like I can only do HTML/CSS injection but nothing else, no JS, no FUN :(
But then suddenly I found a way to bypass that CSP policy!
How? You can read more on that part here:
Ofcourse that counts as the first issue — CSP bypass.
Next one is the Content Injection, which this post addresses ;)
So once the CSP was bypassed due to the having current timestamp as the prefix leading to bruteforce attacks on them, the road to XSS was straight forward! And now I had full content injection — HTML, CSS and JS injection!
The application was quite protected in terms of restricting access to the nodejs integrations and thus RCE was not possible, sad but what can I do haha…
Closing Thoughts
Just want to say that I was quite shy to try pentesting that application due to its huge codebase and I didn’t had any knowledge of the application’s inner workings. Plus it was an electron app, and I didn’t had much prior experience then, to debug an electron app. But the experience came once I set out to pentest it :)
So my advice would be to not get overwhelmed by the target and just go for it — even if you end up finding nothing, you gained some knowledge of the application’s working and there’ was nothing to loose!
So with that, I would close this post. I hope this post was informational and fun to read. In case you enjoyed it, please share it among your friends in the infosec community :)
Let me know your feedback in the comments below and feel free to connect on twitter: @_SecurityGOAT
Lastly, if you have been enjoying my work and would love to support me, consider checking my Patreon page or you can even Buy Me a Coffee :)
See ya!
Until next time my friend, keep learning and happy hacking.
