Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Stored XSS in Rengine due to missing sanitization in "Vulnerable URLs" in "Vulnerability Scan Results" page #347

Closed
payloadartist opened this issue Feb 22, 2021 · 2 comments

Comments

@payloadartist
Copy link
Contributor

payloadartist commented Feb 22, 2021

First of all, kudos to you for bringing the Nuclei integration. reNgine is now my go to tool 🙌
No match to any other framework I used...

Issue Summary

I came across a Stored XSS while doing vulnerability scans at the following endpoint start_scan/detail/vuln

image

More specifically, before the vulnerable link is rendered into the Django template in the Vulnerability Scan Results page, it's not sanitized properly, which is why if a Nuclei template or, the vulnerable link itself has an XSS payload it would get executed.

Attack scenarios:

  1. Malicious Nuclei template.
  2. Malicious page title.

Steps to Reproduce

  1. Perform vulnerability scan on a page with XSS payloads
  2. If a reflected XSS payload fire happens (or false positive)
  3. Example case - https://www.test.com/?fccc0%22%3E%3Cscript%3Ealert(1)%3C/script%3E5f43d=1 in vulnerable URLs
  4. rEngine renders the script tag, and the alert gets triggered as soon as the page loads

Any other relevant information. For example, why do you consider this a bug and what did you expect to happen instead?

  • I have confirmed that this issue can be reproduced as described on a latest version/pull of reNgine: (yes / no)

yes

Technical details

Please list out any technical details such as operating environment.

rEngine latest release deployed on Docker

@payloadartist
Copy link
Contributor Author

payloadartist commented Feb 22, 2021

And the PoC with the customary alert popup as I think no XSS report is complete without it :P

Everytime I loaded the Vulnerability Results page, this got triggered and it became quite annoying, so a functional bug too in a way

image

yogeshojha added a commit that referenced this issue Feb 23, 2021
yogeshojha added a commit that referenced this issue Feb 23, 2021
@yogeshojha
Copy link
Owner

This has been fixed.
Thank you once again for reporting.
If you find any other instances of XSS, feel free to report them on a separate issues.

Here is the acknowledgement from reNgine:

https://github.com/yogeshojha/rengine/blob/master/.github/SECURITY.md

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants