Full Report
Chess.com is a very popular online Chess platform. The author decided to look into this site for security issues. On the platform, you can add friends. When reviewing this request, it is a GET request to a registration invite with a long hash. So, if a user were to click on this link then they would accept the friend request. To make this more obtainable, they learned you could add an image link to your profile. This image link could be a direct link on chess.com! So, the URL for the link could be easily change to the friend request URL, which when loaded into an image on the profile would force the person to accept the request. Pretty neat! When the developers tried to fix this, it was easy to bypass via a domain redirect. They wanted to find true XSS on the website, which led them to a TinyMCE editor. This has a configuration that they started reading. They noticed that the background-image stly attribute was in the allowlist. While adding this attribute, a double quote had been added to the URL, resulting in a context break! Since the double quote was added, this led to an escape of the given context. They could add extra attributes for the tag using this. They were able to add in a onload tag with JavaScript in it! However, not many characters were allowed to be used like parens or backticks. The author goes through a long process of enumerating the restrictions of the exploit. Only being able to use a ? once, dots being allowed, and many other things. When you're testing blackbox, figuring out what you have and the limitations is super important to do. To start, they realized they could read cookies and redirect the page to extract those. Overall, an interesting XSS article. I wish that the explanation of why they tried specific things was more clear but I enjoyed the vulnerability.
Analysis Summary
# Vulnerability: Persistent XSS via TinyMCE Attribute Injection on Chess.com
## CVE Details
- **CVE ID:** Not Assigned (HackerOne/Private Bug Bounty Disclosure)
- **CVSS Score:** 8.2 (Estimated)
- **CWE:** CWE-79 (Cross-site Scripting), CWE-20 (Improper Input Validation)
## Affected Systems
- **Products:** Chess.com Web Platform
- **Versions:** Production environment as of Jan 2024 (Now Patched)
- **Configurations:** User profile "About" section utilizing the TinyMCE rich text editor.
## Vulnerability Description
The vulnerability stems from an insecure server-side processing of the `background-image` CSS style attribute within `<img>` tags. While Chess.com's TinyMCE configuration allowed the `background-image` attribute, the server-side function responsible for re-hosting external images improperly handled the URL string.
Specifically, the re-hosting script appended a double quote (`"`) to the beginning of the rewritten URL. This resulted in a context break, allowing an attacker to escape the `style` attribute and inject arbitrary HTML attributes (such as `onload`) into the `<img>` tag. The delimiting behavior of the server (using `/` as a separator) allowed the attacker to chain multiple attributes.
## Exploitation
- **Status:** PoC available; reported via Bug Bounty program.
- **Complexity:** Medium (Requires intercepting POST requests and bypassing specific character filters like parentheses and backticks).
- **Attack Vector:** Network (Persistent/Stored).
## Impact
- **Confidentiality:** High (Ability to steal session cookies/PII via exfiltration to an attacker-controlled domain).
- **Integrity:** Medium (Ability to perform actions on behalf of the user, such as forced friend requests).
- **Availability:** Low (Some potential for page defacement).
## Remediation
### Patches
- **Chess.com Internal Fix:** The developers patched the server-side image processing logic to prevent the double-quote injection and improved the sanitization of allowlisted attributes.
### Workarounds
- **Content Security Policy (CSP):** Implementing a strict CSP that disallows `unsafe-inline` scripts and restricts object/image sources would have mitigated the impact of the XSS.
## Detection
- **Indicators of Compromise:** Profile "About" sections containing `<img>` tags with broken `style` attributes or unexpected `onload` events.
- **Detection Methods:** Web Application Firewalls (WAF) can be configured to look for attribute-breaking characters in CSS property values (e.g., `url("...`) or the use of `onload` within image tags.
## References
- **Original Research:** [https://skii.dev/chess-xss/](https://skii.dev/chess-xss/) (Defanged)
- **Platform:** [https://www.chess[.]com/](https://www.chess[.]com/)