Skip to content

Stored Cross-Site Scripting (XSS) Vulnerability #377

Closed
@ociredefz

Description

Latest version of snorby is vulnerable to cross-site scripting attack.
These are the steps to reproduce the bug:

  1. Start Snorby in production-mode and log in the web UI.
  2. Go to 'Administration' -> 'Classifications' and 'Add classification'.
  3. In the title of classification just add the xss vector: title**<img src=x onerror=alert(document.cookie)>**
  4. Come back to dashboard and click to 'My Queue' and see the alert.

The output from the page snorby/app/views/events/_menu.html.erb is not properly sanitized before its rendering:

<% @classifications.each do |cls| %>
    <% if cls.locked && cls.hotkey %>
        <%= drop_down_item "#{cls.name}#{cls.shortcut}", '#', nil, { :class => 'classification', :"data-classification-id" => cls.id.to_i } %>
    <% else %>
        <%= drop_down_item "#{cls.name}", '#', nil, { :class => 'classification', :"data-classification-id" => cls.id.to_i } %>
    <% end %>
<% end %>

A simple XSS mitigation on rails could be the usage of the sanitize, for example the code below filters the xss vector by removing the onerror attribute from the image tag:

<% @classifications.each do |cls| %>
    <% if cls.locked && cls.hotkey %>
        <%= drop_down_item "#{sanitize cls.name}#{cls.shortcut}", '#', nil, { :class => 'classification', :"data-classification-id" => cls.id.to_i } %>
    <% else %>
        <%= drop_down_item "#{sanitize cls.name}", '#', nil, { :class => 'classification', :"data-classification-id" => cls.id.to_i } %>
    <% end %>
<% end %>

This is a demonstartion screenshot:

snorby-xss
snorby-render-xss

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions