Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
Text Injection (payload taken from URL) could lead to phishing on Beta Site
See original GitHub issueIssue Description
Text from the URL bar is reflected back into the page as text. This content can then be used to perform phishing attacks which extract a user’s credentials.
Here is a proof of concept.
Please note that the URL can be padded with percent-encoded zero-width unicode characters to mask the words in the URL.
This works because the page spits back
We could not find a user by the name of "{{injected text}}"
Setting the payload to
guest". It looks like you're still using our old version of the site, and that's the reason why the user wasn't found! Please, instead, visit "freecodecamp.evil.co.uk
Leads to the following
We could not find a user by the name of "guest". It looks like you're still using our old version of the site, and that's the reason why the user wasn't found! Please, instead, visit "freecodecamp.evil.co.uk"
This is a potential security issue with a potentially high impact. I’ve decided to report this here because the likelihood of a successful attack is low; and it’s still on beta.
Rendered content as image
Transcript
Within a blue rounded box, dark-blue text is enclosed which reads
We could not find a user by the name of “guest”. It looks like you’re still using our old version of the site, and that’s the reason why the user wasn’t found! Please, instead, visit “freecodecamp.evil.co.uk”
Below this is a green button which read
Take me to the Challenges
Browser Information
- Browser Name, Version: Version 64.0.3282.167 (Official Build) (64-bit)
- Operating System: Windows 10 Home (64-bit)
- Mobile, Desktop, or Tablet: HP Laptop
Your Code
Issue Analytics
- State:
- Created 6 years ago
- Comments:7 (7 by maintainers)
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
Hi @joker314 you can add team+security@freecodecamp.org to it.
hi @joker314 thanks a lot for reporting this, I agree to the idea of having a policy around this. Traditionally we have done so by asking us (core team) to be notified via an email.
But you are correct and it makes sense to make this more clear.
That said, we are working on possible solutions for this.
Just to let you know, here is what we have discussed so far regarding this usecase:
This is because the react view for the user not component, does not have sanitisers, before generating the view. It would not be reliable to do so as well client side.
I think we should just do this, with a server rendered view like this:
https://beta.freecodecamp.org/en/challenges/some random text
And even further tighten it with sanitizers if needed.
Personally, I would avoid any rendering of user provided string.
I think, it would much straight to just show an error like:
“We could not find what you were looking for. You should try the search box, on this page, or head back to challenges.”
That’s it.
And this should be consistent for anything that’s not found (user, challenges, etc.), currently we have atleast three such error pages.