Multiple XSS instances on Atlassian's HipChat

Note: At the time of writing this blog post both the Cross Site Scripting instances were fixed by Atlassian

Last month I reported multiple cross site scripting (XSS) instances on Atlassian's "HipChat" web based chat user interface. Below is a brief summary on the XSS instances which I reported to the Atlassian's security team.

1. Cross Site Scripting in “Delete Room” feature of HipChat Web Interface:

   

This XSS instance in particular was pretty interesting to find out. In HipChat there is a feature to create a new chat room. I used the text field i.e. Room Name associated with this feature for injecting the evil JavaScript code. The sample JavaScript code which I injected into the text field was: <img src=1 onerror=prompt(0)>

                              

Once I clicked on the "Create Room" button, HipChat created a new room by the name "<img src=1 onerror=prompt(0)>". I visited the "Lobby" feature to view the recently  created room. This feature also offered the functionality to delete a room.

So I used the "Delete room" option for deleting "<img src=1 onerror=prompt(0)>"

Prior deleting the room, HipChat re-confirmed my decision by throwing an alert box.

Once I clicked on the "OK" button ... bingo the JavaScript payload got executed.

2. Self Inflicted Cross Site Scripting  in “File Sharing” feature of HipChat Web Interface:

The "File Sharing" feature associated with HipChat was found vulnerable to self inflicted cross site scripting. I selected an image file with the name:
<img src=1 onerror=alert(document.cookie)>.jpg

Once the file got successfully uploaded, I clicked on to the "Share" button .... the JavaScript payload got executed.

Altassian security team was very responsive. The moment I reported the multiple XSS instances, Altassian team acknowledged my responsible vulnerability disclosure report. They followed-up with the development team to get the issues fixed ASAP.

Atlassian security team recognized my effort towards responsible vulnerability disclosure by inducting my name into Atlassian's "Security Hall of Fame" and awarding a cool T-shirt.

I am grateful to Atlassian Security team for their warm gesture :)

Atlassian's Security Hall of Fame

My First "Hall of Fame" from ifixit.com

As a white hat I have reported several high risk application security vulnerabilities in the past. But all of them were either for the clients for whom I was working or to the employers from where I was deriving my monthly paycheck.

This time I thought to try my hand on the bug bounty program's run by several companies/organizations. The sole motto was to help them identify security weaknesses associated with their respective web products/applications and in turn earn some fame for yourself.

In May 2013, I got my first break-through. I reported a "Stored XSS" instance to ifixit.com. One of the "textarea" associated with a form in ifixit.com was found vulnerable to stored XSS. The JavaScript payload used by me to detect the vulnerability was:

</textarea><img src=1 onerror=alert('XSSed') 

The complete chronology of the responsible vulnerability disclosure is as under:

  

                           23 May 2013 at 6:41 p.m: Vulnerability reported to ifixit.com
                               23 May 2013 at 6:42 p.m: Got an automated mail response from ifixit.com
                               25 May 2013: Stored XSS instance fixed by ifixit.com
                               4 June 2013: My name was included in ifixit.com Hall of Fame for Year 2013                               

Stored XSS POC

This "Stored XSS" earned me my first "Hall of Fame" from ifixit.com which is indeed special to me.

ifixit.com Hall of Fame

My joy knew no bounds when I received the goodies sent by ifixit.com. I want to sincerely thanks ifixit.com security team for their diligent and professional approach in handling this responsible vulnerability disclosure. It clearly shows the organization's commitment towards information security.