Reflected XSS on demo.microweber.org/demo/module/ in microweber/microweber
Reported on
Apr 21st 2022
Description
Reflected XSS with filter bypass on /demo/module/ using module= & style= parameters.
Proof of Concept
https://demo.microweber.org/demo/module/?module='ont<a>ransitionend=alert(1)'"tabindex=1&style=transition:outline%200.001s&id=x&data-show-ui=admin&class=x&from_url=https://demo.microweber.org
Press tab for the alert() to show up.
Okay 3 things to unpack here:
- " and ' at various places allow breaking out of the html (root cause of the XSS)
- ont<x>ransitionend gets sanitized to ontransitionend and bypasses the xss filter
- style="transition:outline 1s" tabindex=1 is the setup you need to trigger a transition without a <style> tag
Took me some time to finally find a XSS payload that runs here :)
I'd suggest you do not allow breaking out of the html here, so filter ' & ". ont<x>ansitionend should be examined, this trick doesn't work in every parameter. Additionally, some js eventhandlers are allowed e.g. onunhandledrejection, you could think about a on.*= regex.
Impact
Execute Arbitrary JavaScript as the attacked user.
It's the only payload I found working, you might need to press "tab" but there is probably a paylaod that runs without user interaction.
References
https://demo.microweber.org/demo/module/?module=%27onm%3Ca%3Eouseover=alert(1)%27%22tabindex=1&style=width:100%25;height:100%25;&id=x&data-show-ui=admin&class=x&from_url=https://demo.microweber.org
So the trick actually was the onev<x>nthandler in the module parameter, the transition is not needed, e.g. above I use onmouseover. The html is very different from when a valid value of the module parameter is used.
<div class='x module module-'onmouseover=alert(1) ' tabindex="1" style="width:100%;height:100%;" id="x" data-show-ui="admin" from_url="https://demo.microweber.org" data-type="'onmouseover=alert(1)" parent-module="'onmouseover=alert(1)" parent-module-id="x" ></div>
