Security Fix for Stored-XSS on "HiChat" - huntr.dev

[huntr-helper]

https://huntr.dev/users/d3m0n-r00t has fixed the Stored-XSS on "HiChat" vulnerability 🔨. d3m0n-r00t has been awarded $25 for fixing the vulnerability through the huntr bug bounty program 💵. Think you could fix a vulnerability like this?

Get involved at https://huntr.dev/

Q | A
Version Affected | ALL
Bug Fix | YES
Original Pull Request | 418sec#1
Vulnerability README | https://github.com/418sec/huntr/blob/master/bounties/npm/hichat/1/README.md

User Comments:

📊 Metadata *

Bounty URL: https://www.huntr.dev/bounties/1-npm-hichat

⚙️ Description *

The HiChat application is a simple chat for small teams which is based on a small server which helps to track messages sent by various users. The project presents a stored XSS issue which could lead to session stealing or HTML/JS injection in a permanent way, until the victim leaves the chat room.
Fixed the stored xss using the sanitize-html module to filter out html tags from the input.
https://www.npmjs.com/package/sanitize-html

💻 Technical Description *

Sanitize-html is a simple sanitizer module, to filter out html tags and sanitize input.

🐛 Proof of Concept (PoC) *

1. Download the project locally
2. Run npm i
3. Run node server
4. Go on http://localhost:3000
5. Join the chat room and set your username as test"><img/src="x"/onerror="alert(document.domain)">
6. Open an anonymous tab and join the chatroom as another user (simulating the victim who joins the same chat room of the attacker)
7. When the attacker sends any message, the username is insecurely reflected and JS injected
8. XSS popped !!!
   

🔥 Proof of Fix (PoF) *

Added sanitize-html to sanitize the input and filter out html tags to avoid injecting xss payloads into the nickname field as well as the message field. There is no xss after sanitization.

👍 User Acceptance Testing (UAT)

The application runs smoothly after the fix, and no more xss. Can now send and receive messages without worrying about xss or data leakage.