Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Security Issue: Stored XSS #261

Closed
ehaoxiongdiycw opened this issue Aug 27, 2018 · 3 comments
Closed

Security Issue: Stored XSS #261

ehaoxiongdiycw opened this issue Aug 27, 2018 · 3 comments

Comments

@ehaoxiongdiycw
Copy link

When I used WhatWeb to scan a target and use --log-json option, stored XSS may occur.

The target just like this:

<?php
header("Location: /whatweb/xss/<script>alert(/xss/)</script>/");
die();

I used KaliLinux with WhatWeb v0.4.9:

root@kali:~# whatweb -v 'http://localhost/whatweb.php' --log-json=whatweb.json

And the result:

[{"target":"http://localhost/whatweb.php","http_status":302,"request_config":{"headers":{"User-Agent":"WhatWeb/0.4.9"}},"plugins":{"X-Powered-By":{"string":["PHP/5.5.9-1ubuntu4.25"]},"PHP":{"version":["5.5.9-1ubuntu4.25"]},"Apache":{"version":["2.4.7"]},"Country":{"string":["RESERVED"],"module":["ZZ"]},"IP":{"string":["localhost"]},"HTTPServer":{"os":["Ubuntu Linux"],"string":["Apache/2.4.7 (Ubuntu)"]},"RedirectLocation":{"string":["/whatweb/xss/<script>alert(/xss/)</script>/"]}}},

When I use Windows7 with IE7 open the result, XSS has been triggered.

2018-08-26 21 54 45

Suggestion:
Use url encode for the output url. <script>alert(/xss/)</script> will be convert to %3Cscript%3Ealert%28/xss/%29%3C/script%3E.

Discovered by fobcrackgp@163.com

@urbanadventurer
Copy link
Owner

urbanadventurer commented Aug 31, 2018

It can be great fun to search for vulnerabilities, but WhatWeb is not a web application so it cannot be vulnerable to Cross-site Scripting (XSS). If you had found an XSS vulnerability in an HTML output that would be more interesting, however WhatWeb does not support this output type, and it could not be used in an attack against WhatWeb anyway.

Please keep in mind that Cross-site Scripting (XSS) is an attack that crosses a trust boundary on the web. WhatWeb has no trust boundary on the web to cross, no matter what type of file is created. If an arbitrary output file contains some JavaScript, which is not unusual with a web scraper, then that does not constitute an XSS vulnerability.

By your logic FireFox would be considered vulnerable to XSS because it can save an HTML file that contains arbitrary HTML and JavaScript potentially defined by a malicious website. However, again there is no trust boundary to cross to attack FireFox.

image

@barf
Copy link

barf commented Aug 31, 2018

Unable to reproduce on current versions of Chromium or Firefox.

I think this only affects users of unsupported or out-of-date web browsers (IE6 and IE7) and operating systems (Windows 7).

The chosen test environment is not indicative of fault in the application, it requires a bug in the browser to reproduce (not respecting Content-Type in HTTP headers and file extension not respected).

@ehaoxiongdiycw
Copy link
Author

Yes, this fault only affects in IE6 and IE7.

And there is a Exception when WhatWeb parse the redirect URL like /whatweb/xss/<script>alert(/xss/)</script>/. I think you have found it.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

3 participants