I believe the WebSub intent verification might be vulnerable to XSS because it reflects the hub.challenge parameter with a HTML content type:
Example in Flask (uses HTML by default):
@app.route("/webhook", methods=["GET", "POST"])
def webhook():
# Webhook verification
if request.method == "GET":
if request.args.get("hub.mode") == "subscribe" and request.args.get(
"hub.challenge"
):
if not request.args.get("hub.verify_token") == TOKEN:
return "Verification token mismatch", 403
print("WEBHOOK_VERIFIED")
return request.args["hub.challenge"], 20
elif request.method == "POST":
...
Example in Express:
app.get('/webhook', (req, res) => {
if (req.query['hub.verify_token'] === env.VERIFY_TOKEN) {
res.send(req.query['hub.challenge']);
}
});
Another example in Express:
// Accepts GET requests at the /webhook endpoint
app.get('/webhook', (req, res) => {
const VERIFY_TOKEN = process.env.TOKEN;
// Parse params from the webhook verification request
let mode = req.query['hub.mode'];
let token = req.query['hub.verify_token'];
let challenge = req.query['hub.challenge'];
// Check if a token and mode were sent
if (mode && token) {
// Check the mode and token sent are correct
if (mode === 'subscribe' && token === VERIFY_TOKEN) {
// Respond with 200 OK and challenge token from the request
console.log('WEBHOOK_VERIFIED');
res.status(200).send(challenge);
} else {
// Responds with '403 Forbidden' if verify tokens do not match
res.sendStatus(403);
}
}
});
Reference: https://www.w3.org/TR/websub/
I believe the WebSub intent verification might be vulnerable to XSS because it reflects the hub.challenge parameter with a HTML content type:
Example in Flask (uses HTML by default):
Example in Express:
Another example in Express:
Reference: https://www.w3.org/TR/websub/