GHT2-009 --- Middleman improper input validation results in XSS
4.9 GHT2-009 --- Middleman improper input validation results in XSS
Vulnerability ID: GHT2-009
Retest status:
Vulnerability type: XSS
Threat level: Moderate
Description: {#description-8 .title-findingsection}
Middleman is used to generate the totem-project.org website and does not properly validate input, resulting in XSS.
Technical description: {#technical-description-8 .title-findingsection}
Adding the payload to the course description:
The payload is added: When running the rake script (this is a manual process initiated by a highly privileged SSH user) Middleman will be used to generate the new website, which will contain our payload that will redirect everyone that visits totem-project.org to the URL set in the payload (in this case radicallyopensecurity.com):
Note that the title field allowed dangerous input as well, but the Middleman conversion rejected the payload:
Impact: {#impact-8 .title-findingsection}
- Users' browsers can be attacked just by running the application. A successful attack could lead to session hijacking, credential theft, or infecting the client's system with malware. Note that the threat level would have been higher if lower privileged users were able to create or modify the course descriptions; at the moment this is however only allowed by staff and admin users.
Recommendation: {#recommendation-8 .title-findingsection}
- All user input as well as output to users must be strictly filtered. Within these checks it is necessary to implement filter mechanisms that operate on a white list basis instead of a black list basis. It is recommended that parameters or input fields that can only consist of numerical values are only accepted by the server if they are in fact numeric. All checks have to be performed on the server and not on the client-side. To avoid cross-site scripting it is necessary to substitute special characters like
[;()”´`,<>/]
for their HTML equivalents. It is not sufficient to only filter special HTML tags like "script" because cross-site scripting vulnerabilities can be exploited through countless alternatives. - More information can be found at: https://www.owasp.org/index.php/Cross_Site_Scripting