Question

How does OS prevent XSS attacks? (latex link based) ... If an attacker is able to make a user/Mod click on his link , he might fetch his cookie/session credentials and then login as that user/mod.how does OS prevent this type of attacks (or it doesnt yet? :O)

Answer 1

@e.mccormick

Answer 2

This basic test will alert the cookie of the person who clicks at the link..... same way an attacker can get the cookie of the user and login as him ... unless OS use ticket System.

Answer 3

\(\href {javascript:alert(document.cookie);}{Alert cookie}\)

Answer 4

Moreover attacker can make a Mod kick a user (without his knowledge,if he clicks the link) with this javascript command kickUserFromGroup()<--.. Thats why it makes site so vulenerable when you let user add custom href links.

Answer 5

i note that yesturday .. no protection

Answer 6

someone give me a joke link about loging out
so i note that we can enclude it in latex .. and do what ever we want

Answer 7

but dint thought of trying it on a mod lol
not fan with hacker jops , but what ur saying is possible

Answer 8

Even tho its not safe to let users add their links (Its Scary!) But still if you really want users to add their links ,You should use Mathajax Safe mode http://docs.mathjax.org/en/latest/safe-mode.html. It prevents all type of javascript XSS attacks. Even tho it cant prevent a basic attack (like logging out a user) because its link is HTTP based(http:\\openstudy.com\session\logout) <-- , To fix logout vulnerability , you should add more params to the logout link (as in sessionId,or some unique form id). I hope that OS will fix these quickly , otherwise situation couold get very chaotic!.

Answer 9

Hmm, I was afraid of that too. I just suggest that you don't click those links. You can distinguish what the LaTeX link is before you click on it. You can do this by left clicking the LaTeX, clicking "Show Math as", then click "TeX commands"... Within the latex coding, you should be able to distinguish what the link is.

Answer 10

Yes that will do it @Whitemonsterbunny17 , But its too much effort for a user(especially if user isnt very advanced). I'd look forward for OS team to implement safe mode (which wouldnt be too hard to implement) .Till then , users need to be aware of such attacks.

Answer 11

Yes, that is very true.

Answer 12

You can make a user show his/her cookie in an alert box, very easy.
But how would you fetch it at the time they click the link?

LaTeX linking to websites outside of the openstudy domain is impossible.
Where would you send it to? Some file which has been uploaded on OS using the attach file button? Because that's one of the 2 things I can imagine. Other one is making the user post their cookie as a reply in the question where he/she clicked the link. The writer of this script could then copy it and alter his own cookie.

Another thing, I don't think mod powers are cookie based, but rather loaded in a session. So in that case you'd have to get the info out of the session, don't even know if that's possible.

Answer 13

Ok I thought , Latex could be linked to some other domain..... so that fixes the cookie thing(unless he makes user post reply... or send a message to him),............ But how would you stop this? Suppose if a mod clicks the link , that has javascript function kickUserFromGroup("openstudy feedback","cybershadow");window.open("some other fake link"); Mod will be redirected to that other website, but !!! He will also kick Cybershadow from openstudy feedback group and he wouldnt know that he did , that . How are you planning to fix this?

Answer 14

anything containing http:// will be shown as a normal link

Answer 15

`\(\href{ url }{ link text} \)`

Answer 16

\(\href{ url }{ link text} \)

Answer 17

as you see, it adds url to openstudy.com/

Answer 18

Alrighty tested , it wont link to external domain , Now abt the second part, How would you fix that?

Answer 19

How would someone figure out how the kicking and suspension system works?

Answer 20

Ok , Well its in your source code, I can give you an example , Hold on \(\href{javascript:window.kickUserFromGroup("openstudy feedback", "compassionate"))} {Click}\)

Answer 21

This will kick Compassionate out of this group

Answer 22

assuming the groupId is openstudy feedback?

Answer 23

Yes

Answer 24

oke I clicked it, as you can see our friend compassionate is still in the group.

Answer 25

Oh wait, i dint add a semicolon <---

Answer 26

wait a sec, lemme generate a new link \(\href{javascript:window.kickUserFromGroup("openstudy feedback", "compassionate");}{click}\)

Answer 27

yea it works

2014-07-15 21:07:09 thomaster compassionate Kick View

Answer 28

kicking is very harmless, if suspending works too, that'd be cool :P
you could trick a mod into suspending someone

Answer 29

Why was I kicked?

Answer 30

We were just testing, sorry yo xD

Answer 31

don't worry, you're just being used as our guinny pig

Answer 32

Okay. Carry on.

Answer 33

My father is watching something and I'm away, so try not to kick me because it interrupts his program. Haha.

Answer 34

Anyway thomaster, Apart from this, there are many annoying commands , For instance window.close(), that will close the window , Or Window.reload , Or maybe an alert loop that will crash browser window of the user, and it will get really scary , the question is , why do you really want javascript to be executed? , Why not just go with the safe mode? :P

Answer 35

Well I'm not a site programmer, so it's not my decision to allow users to execute scripts.
To disable this, I guess the engineering team needs to remove the entire href function in mathjax.

The one to talk to is @c0decracker , he's the CTO.

Answer 36

Not really , we can still include href links , http://docs.mathjax.org/en/latest/safe-mode.html <--- safe mode is the way to go

Answer 37

if you click that link, will compassionate be kicked too?

Answer 38

No, As i m not a mod

Answer 39

but anyone can easily fool a mod, for example, He will execute multiple javascript , one opening a page to the normal question so that mod wont doubt him and one that will kick a random user

Answer 40

Morever , BanFn and IpCheckFn and SuspendFn are crackable too ;) but i wont exploit em

Answer 41

You can also use function leaveGroup(group) to kick a user indirectly.

only things we should be afraid of are
- function blockUser(username)
- function unfanUser(userId)

Answer 42

Is it possible in chrome to display scripts being executed realtime?

Answer 43

Not really........ only if you are logging scripts , using console.log<-- command then you can tell that they are executed by looking in the javascript console of chrome

Answer 44

I think doing a ban wouldnt be very tough as well

Answer 45

os.userById("compassionate").banFn() <-- this function can ban the user

Answer 46

os.userById("compassionate").suspendFn() for suspending and os.userById("compassionate").warnFn() for warn O_O

Answer 47

yea but you're missing a few parameters, like suspension time, message. warning message

Answer 48

Yeah I guess, It wont show what the actual banFn()(just showing false) is to me as i m not a mod , but if i make you click the link , i d get all the parameters of that function and then in the next link i'd use that function with those commands ........ and actually ban someone , Huge Vuneralabity!!!!

Answer 49

can you make the mod tools visible with canModerateThisUser() ?

Answer 50

Yes.

Answer 51

Actually no...... but IsModerator(true); makes it visible

Answer 52

but they wouldn't give a tooltip if you'd click a button right?

Answer 53

No it wont do anything

Answer 54

ko.utils.unwrapObservable(os.userById('compassionate').suspendFn)([reasonForBan, TimePeriod].join("|")) , and here is the suspendfunction decoded o_o. So , Well Chaos :P

Answer 55

how the heck did you figure that one out :O

Answer 56

let me try it out on a test account

Answer 57

doesn't work

`javascript:window.ko.utils.unwrapObservable(os.userById('thomaster2').suspendFn)("test","16".join("|"));`

TypeError: undefined is not a function

Answer 58

There are many other bypasses on this site and I have found so many it's not even funny. For example there are ways to excessively spam testimonials at a user in a short period of time, bypass the blockage of messages, access a users account without their permission. That's just a few but there are so many more.

Answer 59

@CyberShadow You're quite intelligent to have figured this out! But have you figured out the administrator one...that is one huge defect in the system xD

Answer 60

Actually, as soon as I found that JavaScript worked through the \(\LaTeX\) system, I passed it on to the code team. So @c0decracker and his people know about the basic issue.

Answer 61

Yeah @ShadowLegendX you are quite right, Anyone can write a loop to send messages/write testinomials for multiple persons ,....... morever one can make a mod Ban all the users in the group if he writes

for(var x in os.groupById("openstudy feedback").membersById){var name =os.groupById("openstudy feedback")[x];kickUserFromGroup("openstudy feedback",os.userById(name);}
Apart from that he can also change the Email id of the account and then hack his account permanently. And there might be many other hacks which arent even discussed yet

Answer 62

javascript:window.ko.utils.unwrapObservable(os.userById('thomaster2').suspendFn)(["test","16"].join("|")); try this @thomaster2 ;) You wrote the wrong brackets out there

Answer 63

Have you seen the id system for the users, so easy to crack doe c;

Answer 64

Yerr shad ;) .........Apart from this , OS should also add a flood control version in the chats ,I myself have written a bot (which dont spam btw ;) But anyone else with evil intentions can write a bot and flood all the chats with the spams at the same time , Better get that fixed too

Answer 65

Yes, another one of my suggestions. Also drop the chat buffer size at the same time.

Answer 66

Mhm True, and actually I did see a user months ago who did use a bot to spam multiple chats at the same time

Answer 67

Yah, the one doing ad spam.

Answer 68

One funny one was an ad spammer was trying to do html ads in the chat... so not much useful stuff came through that time.

Answer 69

I like how you can actually use http://somethinghere.com in chat and it actually shows up but there is no domain c;

Answer 70

Wait this one actually has one, jay kay

Answer 71

But you can put anything in there c;

Answer 72

There might be another leak .... If a mod has power to make another person a mode , attacker can use makeMemberModerator() to make himself a moderator....... but then again if we ll use safe mode all of these javascript vuneralabities will vanish....... all we need to worry abt then is openstudy.com/session/logout <--- links Which can be fixed by passing an additional parameter , like some unique random Form Id

Answer 73

It just came to my mind that one another hell of injection would be , to make a user your bot..... so chaotic :P

Answer 74

LULZ!!! Make someone your spam slave xD

Answer 75

does latex work on chats as well?

Answer 76

No, a shame ;)

Answer 77

>;3

Answer 78

haha well dang

Answer 79

This should make any person clicking shad's and mine slave in the english chat :P

Answer 80

And if you make a mod your slave ,then you can ban at any time , without having to post the link again , Scary o_o

Answer 81

woah thats some scary topic +_+ i wish i could understand this all though <.<

Answer 82

Still doesn't work
TypeError: boolean is not a function

Answer 83

Me and Cyber patched it, want to try it out?

Answer 84

javascript:ko.utils.unwrapObservable(os.userById('thomaster2').suspendFn)(["No reason", "1"].join("|")) ;

Answer 85

this will work fo shizzle @thomaster :P

Answer 86

and hes gone *_*

Answer 87

Gotta make it an href, tell him he gets a cookie if he clicks it c;

Answer 88

You can just leave the protocol out of the link et voila! XSS suddenly made possible.
Can't believe we didn't figure this out years ago when we were trying to link outside of the OS domain xD.

javascript:window.open('//www.google.com');

\(\href{javascript:window.open('//www.google.com');}{\Large\sf Google}\)

(it works without javascript too but then it will be opened in the same page which is kinda annoying.)

Answer 89

oh, and your new link still doesn't work, same error. boolean not a function.

Answer 90

Oh Boy .......... Well it keeps getting scarier :P

Answer 91

boolean is not a function ........ oh yeah it gives that error to me too , But it does post ajax request, so i guess it does suspend , can u call this? and lets see if i get baned or not... javascript:ko.utils.unwrapObservable(os.userById('cybershadow').suspendFn)(["No reason", "1/60"].join("|")) ;

Answer 92

nope

Answer 93

alrighty well thats weird , cos thats how os 's ususal suspend fn works

Answer 94

try the warn function

Answer 95

Alrighty , how abt just calling it with given arguments , try this javascript:os.userById('cybershadow').suspendFn('no reason',"1/60");

Answer 96

Didn't work, but this time it didn't give an error, but an entire list of every function in OS...

Answer 97

I think it's returning all the function values that are currently set for you. Like the location of your avatar, if you're a subscriber, if you're a mod/ambassador.