stored XSS after XSS Filter Bypass through exporting an HTML-Document in thorsten/phpmyfaq
Reported on
Feb 14th 2023
Hello,
After mitigation of all submitted XSS Vulnerabilities i was able to detect another XSS and bypass the XSS Filters in the FAQ Site while generating an HTML Export.
Lets see :)
This is th XSS Paylaod with XSS Ahmed 2
Only XSS Ahmed 2 will work !
Now lets export in in HTML5 and open the file the xss alert will be fired.
As you can see this is the XSS Payload lets refresh its stored
Thank you for watching :)
Impact
Hello,
After mitigation of all submitted XSS Vulnerabilities i was able to detect another XSS and bypass the XSS Filters in the FAQ Site while generating an HTML Export.
Lets see :)
This is th XSS Paylaod with XSS Ahmed 2
Only XSS Ahmed 2 will work !
Now lets export in in HTML5 and open the file the xss alert will be fired.
As you can see this is the XSS Payload lets refresh its stored
Thank you for watching :)
yes, but it can still steal Cookies from any Administrator, including normal Users. Therefore, it should be mitigated.
I have a question, please. Can you assign the CVE to 2 Persons or more in case we worked together ?
Best Regards Ahmed Hassan
document.cookie is empty if you load the HTML file from the file system.
yes that's true but the attacker can still do malicious attack like implementing Keylogger, implementing Login Panels, download malicious Content like Malware on the Victim PC which can be the ADMIN of course and run any scripts he wants including Ransomware attacks.
Even if the cookies can be stolen there are several attack scenarios which can be done by only allowing the attacker to execute JavaScript.
Great work @ahmedvienna 👌 Could you kindly propose/submit a fix for this vulnerability? Any help is appreciated.
Of course this is the Process for the Vulnerability Mitigation:
Preventing XSS in HTML and PHP: Following are the methods by which we can prevent XSS in our web applications –
Using htmlspecialchars() function – The htmlspecialchars() function converts special characters to HTML entities. For a majority of web-apps, we can use this method and this is one of the most popular methods to prevent XSS. This process is also known as HTML Escaping.
‘&’ (ampersand) becomes ‘&’
‘”‘ (double quote) becomes ‘"’
” (greater than) becomes ‘>’
htmlentities() – htmlentities() also performs the same task as htmlspecialchars() but this function covers more character entities. Using this function may also lead to excessive encoding and may cause some content to display incorrectly.
strip_tags() – This function removes content between HTML tags. This function also does not filter or encode non-paired closing angular braces.
addslashes() – The addslashes() function adds a slash character in an attempt to prevent the attacker from terminating the variable assignment and adding the executable code at the end.
Content Security Policy (CSP) – CSP is the last option that we choose to defend against XSS attack. The use of CSP puts restrictions on the attacker’s actions. Our browser executes all the JavsScript it receives from the server, whether they be internally sourced or externally sourced. When it comes to an HTML document, the browser fails to determine whether the resource is malicious or not. CSP is an HTTP header that whitelists a set of trusted resource sources that a browser can use to determine trust in the incoming resource.
X-Content-Security-Policy: script-src 'self'