Summary
I have discovered a vulnerability in a rengine that is susceptible to Stored Cross-Site Scripting (XSS) attacks. This vulnerability occurs when scanning a domain, and if the target domain's DNS record contains an XSS payload, it leads to the execution of malicious scripts in the rengine's dashboard view when any user views the scan results.
The XSS payload is directly fetched from the DNS record of the remote target domain. Consequently, an attacker can execute the attack without requiring any additional input from the target or the rengine user.
Details
An attacker can create a malicious DNS TXT record (and others) on their DNS management that contains the XSS payload. If anyone attempts to scan that attacker's domain using the rengine tools, the malicious DNS record will be stored in the rengine tools and executed when the user tries to open the "vulnerability result" tab of the attacker's domain.
PoC
- Login to the Rengine Application
- Go to the 'Quick Add' -> 'Target'
- Add domain "x.0x90.in" (For PoC I have used my Domain)(Domain Should Configure before scanning follow below DNS record and add in domain DNS)
- Do a 'Vulnerability Scan'
- Wait for Scan for Finished.
- Go to Result -> Vulnerability Tab and View all vulnerability. Cross Site Scripting(XSS) will Execute in Front End.
// Add a TXT DNS record on the Domain(Which want to Scan beforre scaaning start)
"{"Test<img src=x onerror=alert(document.domain)>":1}" {{ '<script>alert(3)</script>' | safe }}
Impact
The impact of this vulnerability is significant and can have severe consequences. By exploiting this vulnerability, an attacker can inject and execute arbitrary scripts within the context of the rengine. This allows them to perform various malicious actions, including but not limited to:
- Stealing sensitive information. I am able to use ajax call to fetch internal data and send response to the attacker's system via http call.
- Defacing the tool's user interface, displaying offensive or misleading content.
- Phishing attacks by redirecting users to malicious websites.
- Leveraging the tool's capabilities for further attacks on the local network or other vulnerable systems.
touhidshaikh Reporter
Summary
I have discovered a vulnerability in a rengine that is susceptible to Stored Cross-Site Scripting (XSS) attacks. This vulnerability occurs when scanning a domain, and if the target domain's DNS record contains an XSS payload, it leads to the execution of malicious scripts in the rengine's dashboard view when any user views the scan results.
The XSS payload is directly fetched from the DNS record of the remote target domain. Consequently, an attacker can execute the attack without requiring any additional input from the target or the rengine user.
Details
An attacker can create a malicious DNS TXT record (and others) on their DNS management that contains the XSS payload. If anyone attempts to scan that attacker's domain using the rengine tools, the malicious DNS record will be stored in the rengine tools and executed when the user tries to open the "vulnerability result" tab of the attacker's domain.
PoC
// Add a TXT DNS record on the Domain(Which want to Scan beforre scaaning start)
"{"Test<img src=x onerror=alert(document.domain)>":1}" {{ '<script>alert(3)</script>' | safe }}Impact
The impact of this vulnerability is significant and can have severe consequences. By exploiting this vulnerability, an attacker can inject and execute arbitrary scripts within the context of the rengine. This allows them to perform various malicious actions, including but not limited to: