CVE-2024-53272
📋 TL;DR
Habitica versions before 5.28.5 contain reflected cross-site scripting vulnerabilities in the login and social media functions. An attacker can craft malicious links with a specially crafted redirectTo parameter to execute arbitrary JavaScript in victims' browsers when they register or login. This affects all users of vulnerable Habitica instances.
💻 Affected Systems
- Habitica
📦 What is this software?
Habitica by Habitica
⚠️ Risk & Real-World Impact
Worst Case
Attacker gains full control of victim's Habitica account, potentially accessing personal data, modifying habits, or performing actions as the victim.
Likely Case
Attacker steals session cookies or authentication tokens, leading to account takeover and unauthorized access to the victim's habit data.
If Mitigated
Attack fails due to proper input validation and output encoding, or browser security features like Content Security Policy block the malicious script execution.
🎯 Exploit Status
Exploitation requires tricking a user into clicking a malicious link; proof-of-concept details are available in the GitHub Security Lab advisory.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 5.28.5
Vendor Advisory: https://github.com/HabitRPG/habitica/commit/946ade5da1f52a804ef2ba76d49416c43e8166bf
Restart Required: Yes
Instructions:
1. Update Habitica to version 5.28.5 or later. 2. Restart the Habitica application server. 3. Verify the fix by checking the version and testing the vulnerable endpoints.
🔧 Temporary Workarounds
Implement Content Security Policy (CSP)
allAdd a strict CSP header to block inline script execution and restrict script sources.
Add 'Content-Security-Policy: default-src 'self'; script-src 'self'' to HTTP headers
Web Application Firewall (WAF) Rules
allConfigure WAF to block requests containing malicious script patterns in the redirectTo parameter.
Add rule to block requests with redirectTo parameter containing <script> tags or javascript: URIs
🧯 If You Can't Patch
- Disable user registration and social media login features if not essential.
- Monitor logs for suspicious redirectTo parameter values and block offending IP addresses.
🔍 How to Verify
Check if Vulnerable:
Test by accessing the login page with a redirectTo parameter containing a simple payload like redirectTo=javascript:alert('XSS'). If an alert pops up, the system is vulnerable.Check Version:
Check the Habitica web interface footer or server logs for version information, or run 'npm list habitica' in the installation directory.Verify Fix Applied:
After patching, repeat the vulnerable test; the payload should be sanitized and not execute. Check that the application version is 5.28.5 or higher.📡 Detection & Monitoring
Log Indicators:
- HTTP requests to login or registration endpoints with redirectTo parameter containing script tags or javascript: URIs
- Unusual spikes in failed login attempts from single IPs
Network Indicators:
- Outbound connections to suspicious domains triggered by malicious redirects
- HTTP responses containing unsanitized redirectTo parameter values
SIEM Query:
source="web_logs" AND (url_path="/login" OR url_path="/register") AND query_string="*redirectTo=*script*"