Summary
Two issues - Self-XSS (how about "Invited Members" feature? So possible without prefix "Self-") and opportunity to make "a Proxy" from Novu. I decided to let you know about both of these issues with single report, because it's connected.
I hope it will be useful and valuable for you.
The issue described is a Self-XSS (Cross-Site Scripting) vulnerability that occurs in the Preview window within the Novu platform. The issue can allow malicious payloads (JavaScript) to execute in the context of the user's browser.
Details
Self-XSS typically refers to scenarios where users are tricked into executing malicious JavaScript in their own browser (e.g., through developer tools or form inputs). However, the described issue is not purely "Self-XSS", as the malicious payloads can be entered by an attacker with the intention of exploiting the system’s lack of input validation.
Novu allows unvalidated custom JavaScript <script> tags) in the Edit window, which are then executed when switched to the Preview window.
Repro steps:
- As logged in user go to https://web.novu.co/workflows ; Select some workflow, ie. "digest-workflow-example" ; click Email button/rectangle/element there https://web.novu.co/workflows/edit/[chars]/email/[chars]
- See window for Edit, add there payloads:
Hi {{subscriber.firstName}}! 👋 You've sent {{step.total_count}} <script>alert(window.origin)</script> <script>alert(document.domain)</script> <script>location.href = 'https://www.wikipedia.org/';</script> events!
- From Edit tab change to Preview tab - payloads will be executed
PoC
Result - screenshots:
and
POC - payloads examples:
<script>alert(window.origin)</script> <script>alert(document.domain)</script> <script>location.href = 'https://www.wikipedia.org/';</script>
Quick notes:
<script>alert(document.cookie)</script> will show 4x cookies
<script>location.href = 'https://www.wikipedia.org/';</script> - "proxy effect"
Proposed remediation:
Sanitize/purify there. I'm not sure that payloads like presented in POC are there necessary for proper Novu service.
Impact
This is a Cross-Site Scripting (XSS) vulnerability, specifically falling under:
- Persistent/Stored XSS: The malicious payload is saved in the system (in the "Edit" window) and then executed later in the "Preview" window.
- Potential Proxy Effect: Due to the ability to execute JavaScript (e.g., location.href), the vulnerability could be abused to redirect users to untrusted/malicious websites or exfiltrate sensitive information.
Who is impacted:
- Authenticated Users (Low-Privilege Users):
The attacker can exploit this issue using their own account to inject malicious payloads.
If the system allows multiple users to collaborate on workflows (e.g., "Invited Members"), the payload could be triggered when another user previews the workflow, broadening the impact.
- Potential Escalation to High-Privilege Users:
If higher-privilege users (e.g., admins) interact with compromised workflows, attackers could exfiltrate sensitive data such as cookies or session tokens tied to those accounts.
Similar case like this one, described here:
"Send a malicious SVG file to the target and ask them to test it on any Replicate model that accepts images as input.
Upon uploading, the user will immediately see a fake error message prompting them to click for more information.
The user clicks the “error” message.
Our XSS payload executes, exfiltrating the user’s account API key" source https://www.imperva.com/blog/lessons-learned-from-exposing-unusual-xss-vulnerabilities/
Additional information:
I followed your recommendations VDP. On the site https://github.com/novuhq/novu/security there is info "Reporting Instructions:
Email your findings to [email protected]." - I did that. (2023-08)
References:
https://cwe.mitre.org/data/definitions/79.html
https://capec.mitre.org/data/definitions/63.html
https://owasp.org/www-community/attacks/xss/
https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html
https://portswigger.net/web-security/cross-site-scripting
https://en.wikipedia.org/wiki/Proxy_server
Summary
Two issues - Self-XSS (how about "Invited Members" feature? So possible without prefix "Self-") and opportunity to make "a Proxy" from Novu. I decided to let you know about both of these issues with single report, because it's connected.
I hope it will be useful and valuable for you.
The issue described is a Self-XSS (Cross-Site Scripting) vulnerability that occurs in the Preview window within the Novu platform. The issue can allow malicious payloads (JavaScript) to execute in the context of the user's browser.
Details
Self-XSS typically refers to scenarios where users are tricked into executing malicious JavaScript in their own browser (e.g., through developer tools or form inputs). However, the described issue is not purely "Self-XSS", as the malicious payloads can be entered by an attacker with the intention of exploiting the system’s lack of input validation.
Novu allows unvalidated custom JavaScript <script> tags) in the Edit window, which are then executed when switched to the Preview window.
Repro steps:
Hi {{subscriber.firstName}}! 👋 You've sent {{step.total_count}} <script>alert(window.origin)</script> <script>alert(document.domain)</script> <script>location.href = 'https://www.wikipedia.org/';</script> events!
PoC
Result - screenshots:
and
POC - payloads examples:
<script>alert(window.origin)</script> <script>alert(document.domain)</script> <script>location.href = 'https://www.wikipedia.org/';</script>Quick notes:
Proposed remediation:
Sanitize/purify there. I'm not sure that payloads like presented in POC are there necessary for proper Novu service.
Impact
This is a Cross-Site Scripting (XSS) vulnerability, specifically falling under:
Who is impacted:
The attacker can exploit this issue using their own account to inject malicious payloads.
If the system allows multiple users to collaborate on workflows (e.g., "Invited Members"), the payload could be triggered when another user previews the workflow, broadening the impact.
If higher-privilege users (e.g., admins) interact with compromised workflows, attackers could exfiltrate sensitive data such as cookies or session tokens tied to those accounts.
Similar case like this one, described here:
"Send a malicious SVG file to the target and ask them to test it on any Replicate model that accepts images as input.
Upon uploading, the user will immediately see a fake error message prompting them to click for more information.
The user clicks the “error” message.
Our XSS payload executes, exfiltrating the user’s account API key" source https://www.imperva.com/blog/lessons-learned-from-exposing-unusual-xss-vulnerabilities/
Additional information:
I followed your recommendations VDP. On the site https://github.com/novuhq/novu/security there is info "Reporting Instructions:
Email your findings to [email protected]." - I did that. (2023-08)
References:
https://cwe.mitre.org/data/definitions/79.html
https://capec.mitre.org/data/definitions/63.html
https://owasp.org/www-community/attacks/xss/
https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html
https://portswigger.net/web-security/cross-site-scripting
https://en.wikipedia.org/wiki/Proxy_server