Stored XSS In Red Hat® Subdomain

So one fine day, I came across a Facebook post of a fellow hacker who got placed in the Red Hat Hall of Fame for finding a security bug. And as Red Hat being one of my dream companies, I too decided to jump onto the wagon. And this story talks about how I found a Tricky Stored XSS in one of the Red Hat subdomain.

What is Stored XSS?

So let’s first start with “What is Stored XSS?” and more importantly “What is XSS?”
XSS stands for Cross(X) Site Scripting. In simple words, it allows attackers to execute arbitrary code (more specifically arbitrary JavaScript) because of unsanitized inputs. In more simpler words, in a search bar of a website, if I search for a code rather than a string, it will execute that code.
Stored XSS is when the code injected in input fields is getting stored. So whenever the particular page will be loaded, the code will get executed. Stored XSS is very dangerous of all and can be brutal if spread site-wide.
[ — — — — — — — — — — “Samy is my hero” — — — — — — — — — — — ]

The Subdomain:

So after a bit of recon, I came across a subdomain developers.redhat.com! A portal for cloud training for developers and developer tools.

As the first instinct of any researcher, I got my eyes on the search bar. The search was for finding various topics and questions. It would fetch the results of blog posts/forum posts, talking about whatever you’d searched from various sites. I injected few classic XSS codes there in the search bar. One of them was:

<img src=xyz

So according to this, if there exists any XSS vulnerability, I should get an broken image icon in the search results. But instead I got an pop-up like this:

“Well, I DID NOT DO THAT!!!”

I was shocked seeing the pop-up. I thought somebody already found the issue and I faced the bad fortune for being a bit late! But I wanted to give it a shot.

I started investigating the reason behind the pop up. And I got to know that the script was executed from one of the search results. The post led me to the JBoss® forum.

Someone asked a question on the forum about XSS and the post content was having the script which was getting executed. Something like:

<img src=x onerror=alert(‘TEST’)>

I tried creating a forum post with my own code. I just copied the whole question (as the question needs to be valid and good to get approved) and replaced the particular script with keywords so that I can search it later for PoC.

So I knew that it takes few hours to a day to get the post approved. So I wanted to try same with the Stack Overflow post. NOT A GOOD IDEA!

After posting gibberish on the SO, I got this mail:

So I had to delete it, but it gave me the “Peer Pressure” badge XD

Anyways, I went to sleep hoping to get the post approved by morning. And it did.

The Sweet XSS:

Now I was just a search away from finalizing the PoC and report. I did the search with the keyword and got the pop-up.

Here, it’s more important to know how the whole XSS was carried out. And in order to understand that, I have created the following diagram.

So here is what would happen in the example above:

1. I searched for the question “How to use <script>”
2. The results will fetch all the blog posts from various sites having that query.
3. As the contents being shown in the results are not filtered, the script in the content of the blog will get executed.

(sorry for the poor diagram though! XD )

Mitigation:

Filtering the textual data in your web page is really important. In this case everything was getting filtered. They had filtered out search queries and even the titles of the blog post. But the content, specifically from JBoss Forums, was not being filtered out, which led to the script getting stored in the particular page.