Skip to content
This repository has been archived by the owner on Oct 21, 2022. It is now read-only.

The "name" parameter of the award a badge functionality lacks any input validation #5

Open
sveeke opened this issue Jun 18, 2018 · 3 comments
Open

The "name" parameter of the award a badge functionality lacks any input validation #5

sveeke opened this issue Jun 18, 2018 · 3 comments
Labels
bug-security risk-low Security issues with a low impact
Milestone
Pilot 2018

Comments

@sveeke
Copy link
Contributor

sveeke commented Jun 18, 2018
edited
Loading

threatLevel="Low" type="User input validation"

The "name" parameter of the award a badge functionality lacks any input validation:

image

Example request:

POST /v1/issuer/issuers/rwygWIDnR1uBB_i1MPwu_g/badges/XjAr-XCzRDyL7PxOJZSZqA/assertions HTTP/1.1
Host: badgr-dev2.edubadges.nl
User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.04
Accept: application/json
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Authorization: Token 5a29a471f3b21be11928361f5c42aeabf0c5cd8f
Content-Type: application/json
Referer: https://surf-dev2.edubadges.nl/issuer/issuers/rwygWIDnR1uBB_i1MPwu_g/badges/XjAr-XCzRDyL7PxOJZSZqA/issue
Content-Length: 442
Origin: https://surf-dev2.edubadges.nl
Connection: close

{"issuer":"rwygWIDnR1uBB_i1MPwu_g","badge_class":"XjAr-XCzRDyL7PxOJZSZqA","recipient_type":"email","recipient_identifier":"[email protected]","narrative":"","create_notification":true,"evidence_items":[],"extensions":{"extensions:recipientProfile":{"@context":"https://openbadgespec.org/extensions/recipientProfile/context.json","type":["Extension","extensions:RecipientProfile"],"name":"<script>alert('blaat');</script>Stefan"}}}

Response:

{
<KNIP>
  "extensions": {
    "extensions:recipientProfile": {
      "@context": "https://openbadgespec.org/extensions/recipientProfile/context.json",
      "type": [
        "Extension",
        "extensions:RecipientProfile"
      ],
      "name": "<script>alert('blaat');</script>Stefan"
    }
  },
<KNIP>

It did not result in a successful XSS as the content-type is application/json and not text/html. The contents of the name field seemed not to be requested at other places on the website that use text/html as the content-type and is also not send to the user in the confirmation e-mail.

impact:
Not validating the user input could result in issues such as XSS.

recommendation:
Filter all client-provided input parameters, and escape all output
Make use of a whitelist, and prevent certain characters from being inserted if it's not necessary for the working of the application.
@sveeke sveeke added the risk-low Security issues with a low impact label Jun 18, 2018
@sveeke sveeke added this to the Pilot 2018 milestone Jun 18, 2018
@ottonomy
Copy link

👍 will fix.

@sveeke
Copy link
Contributor Author

sveeke commented Jan 17, 2019

Just checking: has this been fixed @ottonomy ? :)

@ottonomy
Copy link

ottonomy commented Jan 24, 2019
edited
Loading

@sveeke Yes, a fix has been implemented.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
bug-security risk-low Security issues with a low impact
Projects
None yet
Milestone
Pilot 2018
Development

No branches or pull requests
2 participants
@ottonomy @sveeke