$256 Bounty : XSS via Web Cache Poisoning in Discourse
1 min read
Summary
A recent bug bounty revealed an XSS vulnerability in the Discourse forum platform, which allows an attacker to potentially target users via a combination of injection and cache poisoning techniques.
Discourse forum platforms utilise font preloading and caching techniques, which means that they are hosted on the domain of the parent website.
An attacker can inject a payload into the X-Forwarded-Host header, which is unsanitised in the HTML and can be used to execute a repeatable cross-site scripting attack.
This would allow an attacker to host a malicious font file on an unprotected domain, which would enable them to target users of the platform remotely and persistently.
The vulnerability was discovered by security researcher Bobrov, who identified the issue in various live Discourse instances, including those of Mozilla and NextCloud, receiving a $256 bounty in the process.