Stored Cross Site Scripting Vulnerability Risk Description
Stored cross-site scripting vulnerabilities arise when user input is stored and later embedded into the application's responses in an unsafe way. An attacker can use the vulnerability to inject malicious JavaScript code into the application, which will execute within the browser of any user who views the relevant application content. The attacker-supplied code can perform a wide variety of actions, such as stealing victims' session tokens or login credentials, performing arbitrary actions on their behalf, and logging their keystrokes. Methods for introducing malicious content include any function where request parameters or headers are processed and stored by the application, and any out-of-band channel whereby data can be introduced into the application's processing space (for example, email messages sent over SMTP that are ultimately rendered within a web mail application). Stored cross-site scripting flaws are typically more serious than reflected vulnerabilities because they do not require a separate delivery mechanism in order to reach target users and are not hindered by web browsers' XSS filters. Depending on the affected page, ordinary users may be exploited during normal use of the application. In some situations, this can be used to create web application worms that spread exponentially and ultimately exploit all active users.
POC:
Let's see welcome before login
Login to the Application
Go to the Template Location and add new template
add xss payload in description and new category location using <ScRipT>alert("XSS");</ScRipT>
Save and exit the template location will get xss popup
Mitigation:
Output encoding: It is recommended to implement ‘output encoding’ to convert untrusted input into a safe form where the input is displayed as data to the user without executing as code in the browser. Java HTML encoding Function public static String HTMLEncode(String aTagFragment){ final StringBuffer result = new StringBuffer(); final StringCharacterIterator iterator = new StringCharacterIterator(aTagFragment); char character = iterator.current(); while (character != StringCharacterIterator.DONE ) { if (character == '<') result.append("<"); else if (character == '>') result.append(">"); else if (character == '"') result.append("""); else if (character == ''') result.append("'"); else if (character == '\') result.append("\"); else if (character == '&') result.append("&"); else { //the char is not a special one //add it to the result as is result.append(character); } character = iterator.next(); } return result.toString(); } • Escaping: Escape all untrusted data based on the HTML context (body, attribute, JavaScript, CSS, or URL) that the data will be placed into. EASPI API String safe = ESAPI.encoder().encodeForHTML( request.getParameter( "input" ) ); • Filtering input parameter: Positive or "whitelist" input validation with appropriate canonicalization is the recommended filtering technique. Alternatively, black-list filtering input works by removing some or all special characters from your input. Special characters are characters that enable script to be generated within an HTML stream. Special characters include the following: <> " ' % ; ) ( & + - JavaScript Codefunction RemoveBad(strTemp) { strTemp = strTemp.replace(/<|>|"|'|%|;|(|)|&|+|-/g,""); return strTemp; }
The text was updated successfully, but these errors were encountered:
The fix is contrary to the access policy in the administration panel. Having access to create templates / snippets / chunks or plug-ins, you can execute arbitrary code. Therefore, XSS is not something that we should worry about.
Stored Cross Site Scripting Vulnerability
Risk Description
Stored cross-site scripting vulnerabilities arise when user input is stored and later embedded into the application's responses in an unsafe way. An attacker can use the vulnerability to inject malicious JavaScript code into the application, which will execute within the browser of any user who views the relevant application content. The attacker-supplied code can perform a wide variety of actions, such as stealing victims' session tokens or login credentials, performing arbitrary actions on their behalf, and logging their keystrokes. Methods for introducing malicious content include any function where request parameters or headers are processed and stored by the application, and any out-of-band channel whereby data can be introduced into the application's processing space (for example, email messages sent over SMTP that are ultimately rendered within a web mail application). Stored cross-site scripting flaws are typically more serious than reflected vulnerabilities because they do not require a separate delivery mechanism in order to reach target users and are not hindered by web browsers' XSS filters. Depending on the affected page, ordinary users may be exploited during normal use of the application. In some situations, this can be used to create web application worms that spread exponentially and ultimately exploit all active users.
POC:

Let's see welcome before login
Login to the Application

Go to the Template Location and add new template

add xss payload in description and new category location using <ScRipT>alert("XSS");</ScRipT>

Save and exit the template location will get xss popup

Mitigation:
Output encoding: It is recommended to implement ‘output encoding’ to convert untrusted input into a safe form where the input is displayed as data to the user without executing as code in the browser. Java HTML encoding Function public static String HTMLEncode(String aTagFragment){ final StringBuffer result = new StringBuffer(); final StringCharacterIterator iterator = new StringCharacterIterator(aTagFragment); char character = iterator.current(); while (character != StringCharacterIterator.DONE ) { if (character == '<') result.append("<"); else if (character == '>') result.append(">"); else if (character == '"') result.append("""); else if (character == ''') result.append("'"); else if (character == '\') result.append("\"); else if (character == '&') result.append("&"); else { //the char is not a special one //add it to the result as is result.append(character); } character = iterator.next(); } return result.toString(); } • Escaping: Escape all untrusted data based on the HTML context (body, attribute, JavaScript, CSS, or URL) that the data will be placed into. EASPI API String safe = ESAPI.encoder().encodeForHTML( request.getParameter( "input" ) ); • Filtering input parameter: Positive or "whitelist" input validation with appropriate canonicalization is the recommended filtering technique. Alternatively, black-list filtering input works by removing some or all special characters from your input. Special characters are characters that enable script to be generated within an HTML stream. Special characters include the following: <> " ' % ; ) ( & + - JavaScript Codefunction RemoveBad(strTemp) { strTemp = strTemp.replace(/<|>|"|'|%|;|(|)|&|+|-/g,""); return strTemp; }
The text was updated successfully, but these errors were encountered: