Hello friends, today I will show you the steps of detecting a vulnerability that I encountered in Web Application Security Tests in my project named Saka Stored XSS (File Upload Comment) and exploiting this vulnerability.
What’s XSS
You can find detailed information about the XSS vulnerability in the article below.
Running the Application
Docker
docker pull erdemstar/saka:stored-xss-file-upload-comment
docker run --rm -d -p 80:8080 erdemstar/saka:stored-xss-file-upload-commentVisual Studio 2022 IDE
git clone https://github.com/Erdemstar/Saka
cd Saka/stored-xss-file-upload-comment
- mouse click on stored-xss-file-upload-comment.sln
- devenv stored-xss-file-upload-comment.sln (CMD)Reconnaissance
When we first open the application, a page like the one below welcomes us. By pressing the Attack button on the page, we are directed to the part we will test.
After visiting the Attack page, a screen was obtained that accepted file uploads in CSV format from the user and also displayed comments.
The HTTP GET Request sent for the Attack page is as follows. When the details of the incoming response are checked, the user is expected to upload a file to the “/Home/Attack” endpoint using the HTTP POST method. When we look at more details, we see that a link to a CSV format has been added as an example.
Additionally, it has been observed that the content of the files received from the user in CSV format is parsed, added to the table and displayed to the users.
The Sample CSV file in the response received has been downloaded. The resulting content is as follows.
The file content will be changed as follows and will be used for File Upload.
The new CSV file that is edited is used for File Upload and the request is as follows. The request is created using the HTTP POST method and the CSV data used for File Upload is sent to the “/Home/Attack” endpoint.
The final status after the request reaches “/Home/Attack” is as follows.
Mental Notes
- The application keeps sample files under the “/files/” path.
- The application expects a file in CSV format from the user. For the file to be sent, a request must be sent to the “/Home/Attack” endpoint with the HTTP POST method.
- The application will read the first two columns of each line in the file to be uploaded. The information obtained will be used for the Name and Comment sections.
- After the comments are entered, the application redirects to the same page with a 302 Redirect and shows all the comments.
Exploitation
After obtaining sufficient information on the application, we add some characters to be interpreted by the browser to the name and comment value we will send in order to exploit the XSS vulnerability.
For this purpose, a standard payload was created as follows and added to the CSV file.
"><h1>Erdemstar
The CSV Upload request sent is as follows.
When the last comment that appears on the screen after the redirect is checked, it is determined that the application performs input validation on the “Name” parameter, but does not perform a similar operation on the Comment parameter, and directly records the data it receives and displays it as is.
After we have obtained so much information about the application behavior, when we send a request like the one below to the comment field, we perform the Stored XSS scenario on the application.
<audio src=1 href=1 onerror="javascript:alert(1)"></audio>
The final status after the request is as follows.
Thank you for reading my article, I hope it was useful for you. Below I leave the links of my other concepts that may be useful to you.
Click here to see my other articles about web vulnerabilities. Link
