WebTorrent http server XSS

[feross]

Description

There's a low risk XSS in the WebTorrent http server. It relies on getting the user to visit an HTML page served by the WebTorrent http server but that we do not expose to Brave users in any UI or user flows.

The following steps are required to pull this off:

• User clicks a link to a .torrent file or magnet link which contains a specially-crafted torrent title or file name.
• The user starts downloading the torrent in Brave
• The user right-clicks one of the 'Save File' links and selects 'Copy Link Address'
• The user modifies the copied URL on their clipboard so they visit the homepage instead of the copied URL. For example, if the copied URL is http://localhost:12345/0/file.mp4, then the user would need to modify it to visit http://localhost:12345, the server index page (which lists the files in the torrent).
• Now, the attacker's JavaScript code runs in the context of the http://localhost:12345 origin.

An alternative way to trigger this is:

• User clicks a link to a .torrent file or magnet link which contains a specially-crafted torrent title or file name.
• The user starts downloading the torrent in Brave
• Attacker code running in an unrelated origin in another tab attempts to iframe all possible http://localhost:<port> combinations until they find the one that WebTorrent is using.

The reason this seems relatively low risk is that the WebTorrent HTTP server only allows fetching data pieces from the torrent. It doesn't support any other control of the torrent client. Furthermore, even if the attacker attacked the HTTP server itself somehow (e.g. via a malformed request) the HTTP server is being run in a sandboxed Chrome extension context, so potential for damage seems limited.

The only thing the WebTorrent http server origin can do is fetch pieces of the torrent. This origin is distinct from the WebTorrent extension origin, which does not contain an XSS. It seems that the most attacker code can do is e.g. figure out what content the user is downloading and exfiltrate that information to an external server.

The attacker could also install a service worker on localhost:12345 and attempt to interfere with whatever server may run on that port in the future.

---

Steps to Reproduce

Copied from H1 report.

1. Open hxxps://exec.ga/browser/brave/xss.torrent in Brave Browser.
2. Click "Start Torrent" button
3. Copy link address of "Save File" button.
4. Paste it to URL bar with only hostname and port (e.g. hxxp://localhost:8080).

Actual result:

1. Alert will be popped up.

Expected result:

1. Alert should not popup.

Reproduces how often:

Easily reproduced

Brave version (brave://version info)

Version 0.71.41 Chromium: 76.0.3809.132 (Official Build) nightly (64-bit)

Version/Channel Information:

• Can you reproduce this issue with the current release?
• Can you reproduce this issue with the beta channel?
• Can you reproduce this issue with the dev channel?
• Can you reproduce this issue with the nightly channel? Yes

Other Additional Information:

• Does the issue resolve itself when disabling Brave Shields? No
• Does the issue resolve itself when disabling Brave Rewards? No
• Is the issue reproducible on the latest version of Chrome? No

Miscellaneous Information:

[feross]

Fixed in [email protected].

webtorrent PR: webtorrent/webtorrent#1714
brave-core PR: brave/brave-core#3271

[yrliou]

Changed milestones to 0.69.x because WebTorrent is upgraded to 0.107.16 in 0.69.x by brave/brave-core#3450.

[kjozwiak]

Verification PASSED on macOS 10.14.6 x64 using the following build:

Brave	0.69.129 Chromium: 77.0.3865.90 (Official Build) (64-bit)
Revision	58c425ba843df2918d9d4b409331972646c393dd-refs/branch-heads/3865@{#830}
OS	macOS Version 10.14.6 (Build 18G95)

• Verified the the test plan outlined under WebTorrent http server XSS #5821 (comment) and ensured I didn't receive a popup.

Reproduced using 0.68.141 CR: 77.0.3865.90

Verified using 0.69.129 CR: 77.0.3865.90

Verification passed on

Brave	0.69.129 Chromium: 77.0.3865.90 (Official Build) (64-bit)
Revision	58c425ba843df2918d9d4b409331972646c393dd-refs/branch-heads/3865@{#830}
OS	Windows 10 OS Version 1803 (Build 17134.1006)

• Verified the the test plan outlined under WebTorrent http server XSS #5821 (comment) and ensured I didn't receive a popup.

Reproduced using 0.68.141 CR: 77.0.3865.90

Verified using 0.69.129 CR: 77.0.3865.90

Verification passed on

Brave	0.69.129 Chromium: 77.0.3865.90 (Official Build) (64-bit)
Revision	58c425ba843df2918d9d4b409331972646c393dd-refs/branch-heads/3865@{#830}
OS	Ubuntu 18.04 LTS

• Verified the the test plan outlined under WebTorrent http server XSS #5821 (comment)