Stored Cross-Site Scripting (XSS) via Tribe Chat

[tcbutler320]

Describe the bug

The MonkeyType Tribe chat at https://dev.monkeytype.com/tribe is vulnerable to stored cross-site scripting (xss) through user comments and user name. To inject XSS payloads, malicious users can enter a non-xss string in the chat field and send it to web server, then capture the web socket traffic and modify the input to a XSS payload. Same method can be used to injext XSS through username field.

Did it happen in incognito mode? No 😉

To Reproduce .

I used an onclick event payload to demonstrate capabilities, but of course other payloads can be used

• Configure BurpSuite to intercept browser traffic
• Navigate to https://dev.monkeytype.com/tribe
• Click on "create room"
• Turn on BurpSuite proxy interception
• Enter a new chat string
• Intercept the web socket traffic, and change the chat string to an XSS payload, example below.
• Stop intercepting traffic, browse the chat room. The payload will execute. In this example, the payload will execute onclick

Expected behavior
Tribe chat should implement output encoding to ensure that payloads injected through raw socket intercepts are not interpreted by client browsers.

Screenshots

[Miodec]

Fixed