A colleague of mine asked me a few days ago, what he can do with an XSS on a BitTorrent Tracker site. The most obvious thing was of course to steal a logged in user’s session ID to get access to his account data which contains for example his “Private Tracker” login credentials and so on. The XSS he found was just a reflecting one so it’s good for him because he just started with WebAppSec stuff but for me it was nothing more than the XSS we can find in most of the websites on the whole Internet. You might ask, why I’m writing about this because then I can also write about any other XSS vulnerability but this one make me thinking of another way of injecting a persistent XSS on BitTorrent Trackers. Every BitTorrent Tracker allows users to upload their new *.torrent files and everyone can then download it over the link in the tracker, which contains all needed information about it. Now let’s have a look at the information such a tracker picks out of the uploaded files, which will then be displayed to the user.
Additionally, below there’s also a list of all the files which are “in” this Torrent.
Now let’s think about input filtering. Normally, there are more or less effective input filters in place for bigger web applications but when you have to deal with the content of uploaded files, you should perhaps also check the content of them. I think you’ve got the point 
The only thing you have to do now, is to create a Torrent file which contains script code for example as a comment. When we upload such a file to a Torrent Tracker, it should be checked but this isn’t as easy as it sounds and normally programmers don’t do this because there can also be binary data in this files and so you don’t want to check all that stuff and anyway, who can make a Torrent file by hand? *joking*
Now let’s see what happens if I upload my Torrent file which contains <script>alert(document.cookie);</script> in the comment field.
As you can see, our script was executed 
This is not just a vulnerability we can find here, it’s more of a global problem we’ve got in applications, where users can upload files, which will become parsed and at this time, this includes heavily BitTorrent Trackers as shown here.
Once more a message to the developers out there: Please implement sufficient filtering mechanisms
really nice find!
I also tried the same thing on a tracker, but I couldnt get it running, because it seemed that my tracker was html-encoding every output…
I think such a technique could be used by authorities to gather ip-adresses and other stuff on users which try to download stuff like illegal porn or music or something like that…
greets
Hi dex,
yes they can get some information with this, but you have to keep in mind, that only looking at the description or any other meta information of a Torrent file in your browser, is not a proof at all that you’ve downloaded the file(s) behind the Torrent.
you’re right.
I think that this could have the same impact like a xss-worm on a big social networking site. you only have to take the name of a new film, add ‘aXXo’ and you will have thousands zombies within short time…