Write-up on Stored Cross-Site Scripting Vulnerability in the popular App Invision I’m a big fan of the InVision App because of its amazing UX and the prototyping . For those who are not aware, helps transform - designs into clickable, interactive Prototypes and Mockups. tools invisionapp.com high fidelity I love Garfield One fine day, I started playing around it to find some interesting vulnerability. Information Gathering is the first thing I do when pen-testing any application. It was easy to figure out that the application is built using AngularJS framework with version 1.2.x. In AngularJS, there is a service that provides Strict Contextual Escaping. As of version 1.2, Angular ships with SCE enabled by default. **$sce** Houston, we have a problem. Now, either I’ve to look for any sandbox bypasses available or keep looking for some bad implementation. Huh. I need a coffee now. After trying out different things, I stumbled upon the source code of a shared board page which contains the data including user inputs like board name, user comments, etc. Ah! Time to modify the attack vector. Now let’s try to comment on one of the uploaded mockups with the following vector </script><script>alert(document.domain)</script> Attack Vector on Board Image And Voila! It worked! Payload What could go wrong? Stored — Using this vulnerability an attacker can steal cookies and authenticate as the victim and may compromise the user account. XSS POC POC Video — Invision Stored XSS > — Apr 2nd, 2016 > — April 7th, 2016> Timeline Bug Reported Acknowledged Fixed I reported this issue to the Invision Team using their BB program on H1 and have requested to disclose public. my report Since I was not the first person to report this vulnerability, I did not qualify for the Bug Bounty. But that “little popup” thing made my day :) I have also demonstrated this vulnerability during my talk at . In my demonstration, I showed how an attack can modify the designs just using a malicious comment with the help of an intercepting Proxy, and also how to control the browser using . SeleniumConf UK 2016 Burp Suite BeEF Video from my talk at SeleniumConf London Thanks for reading. Let me know if you have any questions or feedback.

Mocking the mockups — InVision XSS

Too Long; Didn't Read

Companies Mentioned

@dheerajhere

RELATED STORIES