Cross-site Scripting (XSS) - Stored in sergix44/xbackbone

Valid

Reported on

Jul 6th 2021


✍️ Description

Stored xss through file upload via a .svg file

🕵️‍♂️ Proof of Concept

Upload a .svg file with the following content:

<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"><svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
<polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>
<script type="text/javascript">
alert(document.cookie);
</script>
</svg>

give a name you want ending with .svg (store-xss.svg) for example and upload the file, after upload click on open alt text click on raw alt text see the stored-xss getting executed. alt text

💥 Impact

Possible to steal admin cookies or take over another account via cookie grepping.

💥 Remediation

Force the file to be downloaded instead of opening.

💥 References

https://owasp.org/www-community/attacks/xss/

https://en.wikipedia.org/wiki/Cross-site_scripting

https://www.acunetix.com/websitesecurity/cross-site-scripting/

https://www.imperva.com/learn/application-security/cross-site-scripting-xss-attacks/

Occurrences

We have contacted a member of the sergix44/xbackbone team and are waiting to hear back a year ago
sergix44/xbackbone maintainer
a year ago

Hi! Thanks for your work. All the cookies used by XBB are set by the backend as http only. So no remember tokens or session token should be leaked with this attack. I'm going to make a patch, to return the svg as plain-text when using the raw mode. What do you think?

ribersec
a year ago

Researcher


Hi thnx for the response. Yeah that would be great solution. An xss attack would not be possible

ribersec
a year ago

Researcher


@maintainer Hi is it possible that you accept this as a bug ( as well as the other report) in that way i am getting paid through the huntr.dev platform

sergix44/xbackbone maintainer validated this vulnerability a year ago
ribersec has been awarded the disclosure bounty
The fix bounty is now up for grabs
Sergio Brighenti marked this as fixed with commit 840208 a year ago
Sergio Brighenti has been awarded the fix bounty
This vulnerability will not receive a CVE
amammad
a year ago

Yah great work guys ...

For your interest with XSS we can do many things other than steal cookies..

just to want say somethings for get more information.

to join this conversation