Skip to content

WiFi Scanning (and other features) vulnerable to Cross-Site Scripting (XSS) #3233

New issue
New issue
Closed
#3242
Closed
WiFi Scanning (and other features) vulnerable to Cross-Site Scripting (XSS)#3233
#3242
Labels
bug
@breakingsystems

Description

@breakingsystems
breakingsystems
opened on Jun 6, 2023

What happened?

By creating a WiFi hotspot with a malicious SSID, arbitrary JavaScript can be executed in a user's session when they scan for nearby hotspots.

PoC SSID: <img src=x onerror=alert(1)>
PoC screenshot:
1

The responsible LoC: https://github.com/Aircoookie/WLED/blob/main/wled00/data/settings_wifi.htm#L73

(Instead of popping an alert box, the JavaScript payload could change or exfiltrate settings or erase the device)

Other vectors

Please note that other input fields are also vulnerable to XSS, however in those cases an attacker would need to be able to inject malicious configuration values.

Example PoCs:

  • Set the MQTT broker name to ";alert(1);", then load the Sync settings page again
    2_mqtt
  • In an older version of WLED (before WiFi scanning was implemented), set the WiFi SSID to ";alert(1);", then load the Wifi settings page
    3_wifi_old

In those scenarios, the user input is used without sanitization in JavaScript context in the GetV() function, that's why the payload looks a bit different.

Mitigation

XSS can be prevented by encoding data (and especially user input) according to its context (so different encoding would be needed for the HTML and JavaScript contexts from above).

Please check https://portswigger.net/web-security/cross-site-scripting/preventing for more details.

Please note: For the WiFi scanning feature, the XSS can also quickly be prevented by changing the .innerHTML to .textContent in the abovementioned line.

To Reproduce Bug

  1. Create a WiFi hotspot with the name <img src=x onerror=alert(1)> (for example using a phone's WiFi hotspot mode)
  2. Open the WiFi settings page of a WLED device and click "Scan"
  3. Wait for an alert box to open

Expected Behavior

The WiFi SSID should be fully shown in the dropdown menu. No external and potentially malicious JavaScript should be executed.

Install Method

Binary from WLED.me

What version of WLED?

0.14.0-b1, 0.13.3

Which microcontroller/board are you seeing the problem on?

ESP32

Relevant log/trace output

No response

Anything else?

No response

Code of Conduct

  • I agree to follow this project's Code of Conduct

Metadata

Metadata

Assignees

No one assigned

    Labels

    bug

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions