Stealing passwords from infosec Mastodon - without bypassing CSP

web
We discussed this vulnerability during Episode 169 on 21 November 2022

Starts off with a somewhat classic parser attack,, placing a parsable object inside of another context hoping to trip up the system. In this case Gareth Heyes was able to inject :verified: within a supported HTML attribute, and have it be replaced with the emoji as an <img> tag. Turning:

<abbr title="<a href='https://blah'>:verified:</a><iframe src=//garethheyes.co.uk/>">

Into:

<abbr title="<a href='https://blah</a>'><img draggable=" false" ... ><iframe src=//garethheyes.co.uk/>

Its a fairly classic trick, however full cross-site scripting could not be achieved here due to the strict content-security-policy. Instead he opted to go for an HTML injection attack, and abused the autofill functionality of the Chrome password manager to fill in hidden form fields that could be submitted upon interaction with the injected HTML.