Cross-site Scripting (XSS) - Reflected in yeswiki/yeswiki
Dec 11th 2021
i found that the search function of YesWiki integrates the searched term into a value attribute inside an input tag, for example if i do a search on sneaky for example, it will put the term sneaky inside a value attribute:
<input type="text" class="search-query form-control" placeholder="Rechercher..." value="sneaky" name="phrase"/>
now if i add a double quote to the searched term, it will be rendered like this:
<input type="text" class="search-query form-control" placeholder="Rechercher..." value="sneaky"" name="phrase"/>
which is an evidence of lack of any sort of encoding or sanitizing special characters which is a great opportunity to test for a reflected xss as the searched term is reflected, so let's enter our xss payload sneaky"><img src=x onerror=alert(document.cookie)>, the following payload will close the value attribute as well as the input tag and opens a new img tag which references a non-existing image, in that case an onerror event handler will triggered to execute the alert, in this case we're getting our cookies which means user's session can be hijacked.
Proof of Concept
with lack of HttpOnly flag on cookies; user's session can be hijacked easily; when a link containing the xss payload is clicked, user's cookies are sent to an attacker's server.