Mocking the mockups — InVision XSS

Write-up on Stored Cross-Site Scripting Vulnerability in the popular Invision App

I’m a big fan of the InVision App because of its amazing UX and the prototyping tools. For those who are not aware, invisionapp.com helps transform high-fidelity designs into clickable, interactive Prototypes and Mockups.

I love Garfield

One fine day, I started playing around it to find some interesting vulnerability. Information Gathering is the first thing I do when pen-testing any application. It was easy to figure out that the application is built using AngularJS framework with version 1.2.x.

In AngularJS, there is a service **$sce** that provides Strict Contextual Escaping. As of version 1.2, Angular ships with SCE enabled by default.

Houston, we have a problem.

Now, either I’ve to look for any sandbox bypasses available or keep looking for some bad implementation. Huh. I need a coffee now.

After trying out different things, I stumbled upon the source code of a shared board page which contains the data including user inputs like board name, user comments, etc.

Ah! Time to modify the attack vector. Now let’s try to comment on one of the uploaded mockups with the following vector

</script><script>alert(document.domain)</script>

Attack Vector on Board Image

And Voila! It worked!

Payload

What could go wrong?

Stored XSS — Using this vulnerability an attacker can steal cookies and authenticate as the victim and may compromise the user account.

POC

POC Video — Invision Stored XSS

Timeline> Bug Reported — Apr 2nd, 2016 > Acknowledged — April 7th, 2016> Fixed

I reported this issue to the Invision Team using their BB program on H1 and have requested to disclose my report public.

Since I was not the first person to report this vulnerability, I did not qualify for the Bug Bounty. But that “little popup” thing made my day :)

I have also demonstrated this vulnerability during my talk at SeleniumConf UK 2016. In my demonstration, I showed how an attack can modify the designs just using a malicious comment with the help of an intercepting Proxy, Burp Suite and also how to control the browser using BeEF.

Video from my talk at SeleniumConf London

Thanks for reading. Let me know if you have any questions or feedback.