Gone from Semrush too soon, I'm back again with some bugs! I was testing out some new tools and needed a codebase to test it against, and today's semrush's lucky day
-
|
app.get('*', function (req, res) { |
|
res.status(404); |
|
}); |
-- misses res.send() or res.end() in the 404 catchall. also res.send('pong') in the pong endpoint does something, but everything after that does nothing (can't send a response header after content in http)
-
|
return ` |
|
<iframe |
|
src="${url}" |
|
class="embedded-documentation-iframe" |
|
title='documentation' |
|
height="${height}" |
|
/> |
|
`; |
and
|
const title = token.info.replace('loom_video', '').trim() || 'video'; |
|
const url = tokens[idx + 2].content; |
|
|
|
return `<div class="embedded-video-container"><iframe src='${url}' frameborder='0' webkitAllowFullScreen mozAllowFullScreen allowFullScreen class="embedded-video-iframe" title='${title}'>`; |
|
} |
are vulnerable to XSS. sanitize inputs (url, title, height) and use new URL with further sanitization (https://github.com/MegaManSec/Security-Solutions/blob/main/Domain-Validation.md may be helpful)
-
|
return { |
|
platform: `${systemInfo.platform.vendor} ${systemInfo.platform.type}`, |
|
os_name: systemInfo.browser.name, |
|
os_version: systemInfo.browser.version, |
|
device_brand: systemInfo.os.name, |
|
device_manufacturer: systemInfo.os.versionName, |
|
device_model: '', |
|
country: Intl.DateTimeFormat().resolvedOptions().timeZone, |
|
language, |
|
user_properties: { |
|
['$set']: { |
|
OS: `${systemInfo.os.name} ${systemInfo.os.versionName} v${systemInfo.os.version}`, |
|
platform: `${systemInfo.platform.vendor} ${systemInfo.platform.type}`, |
|
language, |
|
screen: `${width} x ${height}`, |
|
}, |
os_name: systemInfo.browser.name, is (probably not deliberately) wrong -- os.name seems more realistic. the others are wrong too; check https://www.npmjs.com/package/bowser
-
|
if (!deviceId && !sessionId) { |
should be ||
-
|
method: 'POST', |
|
headers: { |
|
Accept: 'application/json', |
|
}, |
|
body: `api_key=${apiKey}&identification=${encodeURIComponent(identification)}`, |
|
}) |
that data doesn't look like json to me
-
|
this.logEvent('init_app', { |
|
event_properties: { theme, pathname, referrer: document.referrer }, |
|
}); |
-- excellent way to leak api keys from GET parameters
-
|
document.body.innerHTML = svg; |
probably XSS here, not sure what this is actually used for, but svgs can contain javascript
like and subscribe for more
Gone from Semrush too soon, I'm back again with some bugs! I was testing out some new tools and needed a codebase to test it against, and today's semrush's lucky day
intergalactic/website/server/main.js
Lines 13 to 15 in ad97ee8
res.send()orres.end()in the 404 catchall. alsores.send('pong')in the pong endpoint does something, but everything after that does nothing (can't send a response header after content in http)intergalactic/website/docs/.vitepress/renderIframe.ts
Lines 11 to 18 in ad97ee8
intergalactic/website/docs/.vitepress/renderLoomVideo.ts
Lines 5 to 9 in ad97ee8
new URLwith further sanitization (https://github.com/MegaManSec/Security-Solutions/blob/main/Domain-Validation.md may be helpful)intergalactic/website/docs/.vitepress/theme/amplitude/amplitude-client.ts
Lines 172 to 187 in ad97ee8
os_name: systemInfo.browser.name,is (probably not deliberately) wrong --os.nameseems more realistic. the others are wrong too; check https://www.npmjs.com/package/bowserintergalactic/website/docs/.vitepress/theme/amplitude/amplitude-client.ts
Line 153 in ad97ee8
||intergalactic/website/docs/.vitepress/theme/amplitude/amplitude-client.ts
Lines 78 to 83 in ad97ee8
intergalactic/website/docs/.vitepress/theme/amplitude/amplitude-client.ts
Lines 49 to 51 in ad97ee8
intergalactic/semcore/illustration/transform.ts
Line 20 in ad97ee8
like and subscribe for more