This is why you sanitize user input: Chat hacked live by XSS/HTML code injection, hilarity ensues

Channel:
United States dwangoAC, keeper of TASBot
Subscribers:
50,000
Published on ● Video Link: https://www.youtube.com/watch?v=2GtbY1XWGlQ


Duration: 14:25
584,703 views
17,453

While TASBot was playing SMB3 a chat user named Hexxyr found an unsanitized input vulnerability allowing HTML and CSS to be injected in timeshifter's prototype alpha release filtered Twitch chat software that I (dwangoAC) recently started using to display chat inside OBS. What happened next was a live impromptu demonstration of my chat audience discovering new ways to take advantage of the exploit and a perfect example of why you should always sanitize user input to prevent raw HTML tags from being passed through.

It should be noted that allowing chat to continue to test the limits was inherently risky. A number of somewhat bad things *did* happen, but with only minimal consequences. The chat display tool only needs to know what Twitch channel to connect to (dwangoAC in this case) and did not have an auth token so there was no risk of that being stolen. Still, there were substantial risks from the perspective that chat could have displayed inappropriate images or otherwise could have caused far more damage than they did. While what happened here was hilarious I can almost guarantee that it will not be as funny for you if you ever make the same mistake and allow input which has not been sanitized in your own application.

This specific video is the complete and uncut hilarity of what happened when Twitch Chat figured out how to hack the living daylights out of the chat display tool I use. Twitch chat broke a number of things including mangling my microphone's audio pitch and turning me into "deepwango" by creating a mismatch between 44.1 kHz and 48 kHz audio. I even got rickrolled all through the power of raw HTML tags and CSS! The massive breakage ended up being insanely hilarious. In the strictest sense you could say it wasn't technically XSS (Cross-Site Scripting) because there was no second site, only unsanitized user input parsed as code. The chat text that was being displayed simply had raw tags embedded that were then rendered by the browser.

Credit for the discovery of the exploit goes to Hexxyr in Twitch chat. The source code for the chat client including the HTML sanitization fix made by timeshifter toward the end of the video can be found at: https://github.com/timeshifter/twitch-filtered-chat

If you have no idea who TASBot is, he's a game-smashing robot that plays back Tool-Assisted Speedruns on real consoles and often does his own fair share of glitching. He's appeared at a number of Games Done Quick charity marathons and in this particular video he was attempting to play Super Mario Bros. 3. I, dwangoAC, am his keeper and as Ambassador on staff at TASVideos I attempt to "console verify" existing TAS runs that were originally made in an emulator by playing them back on a real console.



TASBot / dwangoAC:
Discord - http://Discord.TAS.Bot
Twitch - https://Twitch.tv/dwangoAC
Twitter - https://Twitter.com/MrTASBot
Patreon - https://Patreon.com/dwangoAC
Web - https://TAS.Bot


All TASVideos.org content used with permission under Creative Commons Attribution 2.0 (https://creativecommons.org/licenses/by/2.0).



Other Videos By dwangoAC, keeper of TASBot


2019-01-18What if we gave Mario a Portal gun then made a TAS? TASBot plays Mari0 at AGDQ 2019
2019-01-11Walls are merely a suggestion: The Legend of Zelda: A Link to the Past "Full Inventory" with minimap
2018-12-28Making your first TAS: Deep dive tutorial with Sand_Knight in FCEUX
2018-12-21TASBot fails to finish Super Mario All-Stars: Super Mario Bros. 3 (desyncing is always an option)
2018-12-13[Special Presentation] Team TASBot presents Bot Bash! Friday Dec. 14 at 6PM PST on https://TAS.Bot!
2018-12-07TASBot plays Rockman (Mega Man) 3 by Pike and Tiancaiwhr
2018-11-30TASBot plays SMB3 100% by Lord Tom and Tompa - every level played faster than humanly possible
2018-11-22TASBot at GDQx in HD: SM64, Pokemon Yellow, Hyper Princess Pitch, Kaizo Mario World 3, Item Abuse 3
2018-11-16Bonus: dwangoAC in "Herding the Kids", or DefeneSam, Wrentendo, and interrupting cow(s)
2018-11-16TASBot plays Legend of Zelda, or kids react to nostalgia, or Link luck manips (titles are hard, yo)
2018-11-09This is why you sanitize user input: Chat hacked live by XSS/HTML code injection, hilarity ensues
2018-11-02Twitch viewers hilariously inject CSS into chat, TASBot plays new SMB3 "warps" run after 8 years
2018-10-26Hey Nintendo, watch TASBot beat SMB like a piano roll in 4:57 from power-on on original hardware
2018-10-19The History of TASBot and Tool-Assisted Speedrunning, Part 3 (SGDQ 2018 Panel Special Presentation)
2018-10-19The History of TASBot and Tool-Assisted Speedrunning, Part 2 (SGDQ 2018 Panel Special Presentation)
2018-10-12The History of TASBot and Tool-Assisted Speedrunning, Part 1 (SGDQ 2018 Panel Special Presentation)
2018-10-05TASBot kills the animals in Super Metroid (against SGDQ 2018's wishes)
2018-09-28TASBot plays NES Arkanoid "warpless" in 12:26.8 by Baxter
2018-09-21Lord Tom takes control of Super Mario Bros. 3 with help from TASBot and dwangoAC
2018-09-14TASBot properly plays Super Mario Maker All-Stars from AGDQ 2016
2018-09-07If SGDQ 2018 had voted to kill the animals in F-Zero GX they'd have seen this


Tags:
Unsanitized user input
exploit
hack
XSS
CSS
HTML
chat
twitch chat
SMB3
TAS
TASing
dwangoAC
TASBot
Rick Roll
rickrolled
Cross-site scripting
penetration testing
XSS game