Description

credit:Aftersnows

A stored Cross-Site Scripting (XSS) vulnerability was discovered in WebSocket session transmission. An attacker can inject malicious content into a WebSocket message. When a victim accesses this session, the malicious JavaScript is executed in the victim's browser.

Proof of Concept

When reproducing the issue, please note: you need to select an existing conversation name, such as the name 'word1' of a new conversation that was created, and then proceed with the reproduction.

When reproducing this vulnerability, be sure to select 'fn_index': 35.

https://github.com/user-attachments/assets/649f454c-0a0e-4896-ac1e-b55e233be605

First, create a conversation name of any name (I choose 'word1' here), then transmit a message via WebSocket, with the payload as follows:

{"data":[null,"word1",[["<div class=\\"user-message\\">word1</div>","<img src=x onerror=alert(document.domain)><div class=\\"raw-message hideM\\"></div><div class=\\"md-message\\">\\n\\n\\n</div>"]],"新对话 08-22 16-12"],"event_data":null,"fn_index":35,"session_hash":"bvtzvj4lb2"}

(Or the post method works)

https://github.com/user-attachments/assets/48d29ace-201d-49a5-8342-bc0b38e42099

This payload will be stored on the server, waiting for the next person to engage in this conversation, at which point an attack can be carried out.

https://github.com/user-attachments/assets/3e486f6f-b433-4f59-b8ed-46fed30ed076

Impact

A stored Cross-Site Scripting (XSS) vulnerability was discovered in WebSocket session transmission. An attacker can inject malicious content into a WebSocket message. When a victim accesses this session, the malicious JavaScript is executed in the victim's browser.

User Data Theft:

Attackers can inject malicious scripts that steal sensitive user data, such as login credentials, personal information, and payment details. This can lead to identity theft and financial loss for users.

Session Hijacking:

Malicious scripts can hijack user sessions by stealing session cookies. This allows attackers to impersonate users and gain unauthorized access to their accounts.

Malware Distribution: