- Introduction
- Identified Vulnerabilities
- LBN-01-001: Stored XSS in cloak profile via texture name
- LBN-01-002: DOM-based XSS in search page via q parameter
- LBN-01-003: DOM-based XSS in cloaks page via input parameter
- LBN-01-004: DOM-based XSS in bandanas page via input parameter
- LBN-01-005: DOM-based XSS in skins page via input parameter
- LBN-01-006: HTML Injection in @user profile via social-icon tooltip
- LBN-01-001: Stored XSS in cloak profile via texture name
- Report Timeline
"LABY.net is the ultra fast and clean Minecraft user search and skin library. Browse through thousands of skins, capes and cloaks. Look up UUIDs or visit your friends' profiles to see their LabyMod stats. Completely free, fast and without ads." โ twitter.com/LabyMod/status/1411021855423713286
This report describes the results of an independent black-box security assessment of https://LABY.net.
Made by Slowftw in late May 2023 for self-learning, support and contribution to the website.
No organization or specialized team involved.
The findings have been listed ordered by their degree of severity and impact. The severity ranking is provided with a colored badge image or simply in parenthesis after the title of each vulnerability. Each vulnerability is additionally given a unique identifier (e.g. XYZ-01-001) for the purpose of facilitating any future follow-up correspondence. The code analysis was done in Firefox Developer Tools (113.0.2/Win10) from bundled/webpack production builds using a personal account with normal user privileges, which required more time to understand and potentially decreased the findings.
LBN-01-001: Stored XSS in cloak profile via texture name 
What is Stored XSS?
Stored Cross-site Scripting occurs when a web application gathers input from a user which might be malicious, and then stores that input in a data store for later use. The input that is stored is not correctly filtered. As a consequence, the malicious data will appear to be part of the web site and run within the user's browser under the privileges of the web application. Read more in portswigger.net
- The name of the texture/cloak is inserted into the 'Information' card using innerHTML without escaping, allowing XSS.
Attackers could trick users into executing arbitrary JS code and stealing their cookies just by viewing the page.
The victim would visit the page unsuspectingly because it would be a trusted domain/link.
- Upload a new https://laby.net/cloaks (e.g. with random pixels to generate a new imageHash);
- Paste the payload in texture name (must include onxs=s):
<details/open="onxs=s"ontoggle=alert(document.domain)> - Click 'Upload' and you will be redirected to cloak's profile, triggering the alert popup.
- Example result: https://laby.net/cloak/441156c1067883c5f981ad6e52b54bf7
- Use textContent instead of innerHTML to escape user-controlled input.
Read more how to prevent XSS attacks.
t.dataset.trans === "textures.name"
? (t.textContent = o(t.dataset.trans, t))
: (t.innerHTML = o(t.dataset.trans, t));LBN-01-002: DOM-based XSS in search page via q parameter 
What is DOM-based?
DOM-based XSS vulnerabilities usually arise when JavaScript takes data from an attacker-controllable source, such as the URL, and passes it to a sink that supports dynamic code execution, such as eval() or innerHTML. This enables attackers to execute malicious JavaScript, which typically allows them to hijack other users' accounts. Read more in portswigger.net
- The input parameter is inserted directly into innerHTML. An attacker could execute arbitrary JS code and steal users' cookies by tricking them into clicking on a crafted link or redirection domain, triggering the XSS.
- Enter to the following link: https://laby.net/search?q=%3Cdetails/open=%22onxs=s%22ontoggle=%22alert(document.domain)%22%3E
- Use textContent instead of innerHTML to escape user-controlled input.
Read more how to prevent XSS attacks.
LBN-01-003: DOM-based XSS in cloaks page via input parameter
- The input parameter is being concatenated with the translated title, the
<small>tag, and then inserted with innerHTML, allowing XSS.
- Enter to the following link: https://laby.net/cloaks?input=onxs%3D%3Cimg+src%3Dx%3A+onerror%3Dalert(document.domain)%3E
- Examples to escape user-controlled input but still include the trusted html:
const input="<input>", translated = "LabyMod Cloaks";
heading.textContent=input;
heading.innerHTML+=` <small>${translated}</small>`;
// or
const escapeHTML = (unsafe) => {
return unsafe
.replaceAll("&", "&")
.replaceAll("<", "<")
.replaceAll(">", ">")
.replaceAll('"', """)
.replaceAll("'", "'");
};
heading.innerHTML=`${escapeHTML(input)} <small>${translated}</small>`;LBN-01-004: DOM-based XSS in bandanas page via input parameter
- The input parameter is being concatenated with the translated title, the
<small>tag, and then inserted with innerHTML, allowing XSS. The same function with innerHTML from the same file as LBN-01-003 is used here to construct the layout of this path, only the value of the getHeading function changes.
- Enter to the following link: https://laby.net/bandanas?input=onxs%3D%3Cimg+src%3Dx%3A+onerror%3Dalert(document.domain)%3E
- The same as LBN-01-003.
LBN-01-005: DOM-based XSS in skins page via input parameter
- The input parameter is being concatenated with the translated title, the
<small>tag, and then inserted with innerHTML, allowing XSS. The same function with innerHTML from the same file as LBN-01-003 is used here to construct the layout of this path, only the value of the getHeading function changes.
- Enter to the following link: https://laby.net/skins?input=onxs%3D%3Cimg+src%3Dx%3A+onerror%3Dalert(document.domain)%3E
- The same as LBN-01-003.
LBN-01-006: HTML Injection in @profile page via social-icon tooltip 
What is HTML Injection?
HTML Injection is an attack that is similar to Cross-site Scripting (XSS). While in the XSS vulnerability the attacker can inject and execute Javascript code, the HTML injection attack only allows the injection of certain HTML tags. When an application does not properly handle user supplied data, an attacker can supply valid HTML code, typically via a parameter value, and inject their own content into the page. This attack is typically used in conjunction with some form of social engineering, as the attack is exploiting a code-based vulnerability and a user's trust. Read more in acunetix.com
- The username or display name of the services linked to the account appears in the user's profile as a button with Bootstrap tooltip that is triggered, in this case, from a mouseover event and using
data-html=true. By being able to manipulate Spotify's display name and inserting HTML code, attackers could use the<img>tag to display NSFW content, make a request to an external website, stealing browser and ip information. This vulnerability would be an XSS if Bootstrap 5.1.3 did not include a sanitizer or if there was a known bypass.
- Change your Spotify's display name to:
<img/src=//x55.netlify.app> - Once logged into your laby.net account, go to: https://laby.net/connect/spotify
- Switch to off and on to refresh the cache in your profile.
- Escaped HTML entities are usually unescaped when inserted into tag attributes.
Alternatives:
- Remove
data-html=true(icon-verified will not be rendered); - Escape user-controlled input twice, e.g.:
<'">โ&lt;&apos;&quot;&gt;. - Use Bootstrap's tooltip template option.
- 1685682900 - Initial report sent.
- 1685688000 - Vulnerabilities fixed.
Thank you for this very detailed report! Fixes are deployed just now. :)