New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Security Issue: Stored XSS #261
Comments
|
It can be great fun to search for vulnerabilities, but WhatWeb is not a web application so it cannot be vulnerable to Cross-site Scripting (XSS). If you had found an XSS vulnerability in an HTML output that would be more interesting, however WhatWeb does not support this output type, and it could not be used in an attack against WhatWeb anyway. Please keep in mind that Cross-site Scripting (XSS) is an attack that crosses a trust boundary on the web. WhatWeb has no trust boundary on the web to cross, no matter what type of file is created. If an arbitrary output file contains some JavaScript, which is not unusual with a web scraper, then that does not constitute an XSS vulnerability. By your logic FireFox would be considered vulnerable to XSS because it can save an HTML file that contains arbitrary HTML and JavaScript potentially defined by a malicious website. However, again there is no trust boundary to cross to attack FireFox. |
|
Unable to reproduce on current versions of Chromium or Firefox. I think this only affects users of unsupported or out-of-date web browsers (IE6 and IE7) and operating systems (Windows 7). The chosen test environment is not indicative of fault in the application, it requires a bug in the browser to reproduce (not respecting Content-Type in HTTP headers and file extension not respected). |
|
Yes, this fault only affects in IE6 and IE7. And there is a Exception when WhatWeb parse the redirect URL like |

When I used WhatWeb to scan a target and use
--log-jsonoption, stored XSS may occur.The target just like this:
I used KaliLinux with WhatWeb v0.4.9:
And the result:
[{"target":"http://localhost/whatweb.php","http_status":302,"request_config":{"headers":{"User-Agent":"WhatWeb/0.4.9"}},"plugins":{"X-Powered-By":{"string":["PHP/5.5.9-1ubuntu4.25"]},"PHP":{"version":["5.5.9-1ubuntu4.25"]},"Apache":{"version":["2.4.7"]},"Country":{"string":["RESERVED"],"module":["ZZ"]},"IP":{"string":["localhost"]},"HTTPServer":{"os":["Ubuntu Linux"],"string":["Apache/2.4.7 (Ubuntu)"]},"RedirectLocation":{"string":["/whatweb/xss/<script>alert(/xss/)</script>/"]}}},When I use Windows7 with IE7 open the result, XSS has been triggered.
Suggestion:
Use url encode for the output url.
<script>alert(/xss/)</script>will be convert to%3Cscript%3Ealert%28/xss/%29%3C/script%3E.Discovered by fobcrackgp@163.com
The text was updated successfully, but these errors were encountered: