Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Stored Cross Site Scripting #1041

Closed
prasadlingamaiah opened this issue Mar 22, 2019 · 3 comments
Closed

Stored Cross Site Scripting #1041

prasadlingamaiah opened this issue Mar 22, 2019 · 3 comments
Assignees

Comments

@prasadlingamaiah
Copy link

Stored Cross Site Scripting Vulnerability
Risk Description

Stored cross-site scripting vulnerabilities arise when user input is stored and later embedded into the application's responses in an unsafe way. An attacker can use the vulnerability to inject malicious JavaScript code into the application, which will execute within the browser of any user who views the relevant application content. The attacker-supplied code can perform a wide variety of actions, such as stealing victims' session tokens or login credentials, performing arbitrary actions on their behalf, and logging their keystrokes. Methods for introducing malicious content include any function where request parameters or headers are processed and stored by the application, and any out-of-band channel whereby data can be introduced into the application's processing space (for example, email messages sent over SMTP that are ultimately rendered within a web mail application). Stored cross-site scripting flaws are typically more serious than reflected vulnerabilities because they do not require a separate delivery mechanism in order to reach target users and are not hindered by web browsers' XSS filters. Depending on the affected page, ordinary users may be exploited during normal use of the application. In some situations, this can be used to create web application worms that spread exponentially and ultimately exploit all active users.

POC:
Let's see welcome before login
1 login page

Login to the Application
2 after login dashboard

Go to the Template Location and add new template
3 templete location

add xss payload in description and new category location using <ScRipT>alert("XSS");</ScRipT>
5  new category

Save and exit the template location will get xss popup
6 save and close

Mitigation:
Output encoding: It is recommended to implement ‘output encoding’ to convert untrusted input into a safe form where the input is displayed as data to the user without executing as code in the browser. Java HTML encoding Function public static String HTMLEncode(String aTagFragment){      final StringBuffer result = new StringBuffer();      final StringCharacterIterator iterator = new                                     StringCharacterIterator(aTagFragment);      char character =  iterator.current();      while (character != StringCharacterIterator.DONE )      {        if (character == '<')  result.append("<");        else if (character == '>') result.append(">");        else if (character == '"')  result.append(""");        else if (character == ''')  result.append("'");        else if (character == '\') result.append("\");        else if (character == '&')  result.append("&");        else {             //the char is not a special one             //add it to the result as is             result.append(character);        }        character = iterator.next();      }      return result.toString();   } •          Escaping: Escape all untrusted data based on the HTML context (body, attribute, JavaScript, CSS, or URL) that the data will be placed into. EASPI API String safe = ESAPI.encoder().encodeForHTML( request.getParameter( "input" ) ); •          Filtering input parameter: Positive or "whitelist" input validation with appropriate canonicalization is the recommended filtering technique. Alternatively, black-list filtering input works by removing some or all special characters from your input. Special characters are characters that enable script to be generated within an HTML stream. Special characters include the following: <> " ' % ; ) ( & + - JavaScript Codefunction RemoveBad(strTemp) {     strTemp = strTemp.replace(/<|>|"|'|%|;|(|)|&|+|-/g,"");     return strTemp; }

@prasadlingamaiah
Copy link
Author

Hello Team,
any update on this.

Regards
Prasad

@AgelxNash
Copy link

The fix is contrary to the access policy in the administration panel. Having access to create templates / snippets / chunks or plug-ins, you can execute arbitrary code. Therefore, XSS is not something that we should worry about.

@prasadlingamaiah
Copy link
Author

can i expect any bounty here?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants