Universe.com Stored XSS Vulnerability


The event software used by GitHub for Git Merge on the 2nd and 3rd of February 2016, is Universe.com.

After registering for the purchase of two tickets, I was redirected to my online Universe.com profile. I thought, heck, why not. Let’s add a bit more info to that empty profile.

The developer (and perhaps pentester) inside of me got triggered for some reason, wondering if the contents of my description field would be stripped correctly of HTML tags by the server and client before being stored and publicly showed on my profile.

The XSS payload inside the description field.

And to my surprise, after sending the description to the server by pressing the Update Profile button, I was greeted by not just any alert message. Apparently the XSS injection also broke the front-end client..

Oops. Oops (2)

I immediately sent an email to the Technical Support of Universe.com, minutes after my discovery.

So I started to evaluate (pun intended) the situation while waiting for a response.

One might say, sure okay, this is bad. So far only visitors looking at my profile page are affected. But it’s not that, bad right? Well, think again. A developer with malicious intentions could inject his or her own script. For example, he or she could start stealing visitor’s session cookies. Or redirect to a phishing site. Remember, the attacker has full access to the client, and can act as the client on this page.

Now of course, anyone who has basic javascript knowledge could have stumbled upon this. After discovering this XSS vulnerability, he or she could have started pentesting on more webforms available for the end-user. Who knows what other security flaws are waiting to be exploited, if even a small description field is not sanitized?

I can’t imagine what the consequences would have been if an attacker would have found an XSS vulnerability in perhaps the billing area of Universe.com (we are, after all, dealing with a platform focussed on money and credit cards).

After one month, while not having received a single response from Universe.com, the issue seemingly got fixed. HTML tags are now properly removed from descriptions sent to the server. Although a response would have been nice.

You’re welcome, Universe.com :)

Dec 19 2016 Discovery & Notified Universe.com
Dec 20 2016 “This [issue] has been passed along to our development team”
Feb 2017 Issue got fixed (no follow-up email received)
Apr 09 2017 7 days publishment notice sent
Apr 17 2017 Post published