[Bug] 存在XSS漏洞

[sergioperezcheco]

📦 部署方式

Docker

📌 软件版本

v2.14.0

💻 系统环境

Other Linux

📌 系统版本

Centos7

🌐 浏览器

Edge

📌 浏览器版本

latest

🐛 问题描述

存在XSS漏洞

📷 复现步骤

提示词：如何检测是否有xss，怎么进行验证 回复：

 跨站脚本攻击（XSS）是一种常见的Web安全漏洞，攻击者通过在网页中注入恶意脚本，从而窃取用户信息或执行其他恶意操作。以下是检测和验证XSS漏洞的方法：

### 1. 手动检测

#### a. 输入测试
在网站的输入框中输入以下内容，观察是否会在页面中执行：

- `<script>alert('XSS')</script>`
- `<img src=x onerror=alert('XSS')>`
- `<a href="javascript:alert('XSS')">Click Me</a>`
- `<svg/onload=alert('XSS')>`

#### b. 存储型XSS测试
如果网站允许用户提交内容并存储在服务器上，尝试提交上述测试脚本，然后访问包含这些内容的页面，观察脚本是否被执行。

#### c. 反射型XSS测试
如果网站的响应中包含用户输入的内容，尝试在URL参数中注入脚本，观察脚本是否被执行。例如：

http://example.com/search?q=

#### d. DOM型XSS测试
DOM型XSS是基于客户端脚本的漏洞。尝试在输入框中输入以下内容，观察脚本是否被执行：
```html
<img src=x onerror=alert('XSS')>

2. 自动检测工具

a. Burp Suite

Burp Suite是一款流行的Web安全测试工具，可以用来扫描和检测XSS漏洞。

• 使用Burp Suite的Proxy功能拦截请求和响应。
• 使用Burp Suite的Scanner功能进行自动扫描。

b. OWASP ZAP

OWASP ZAP（Zed Attack Proxy）是一款开源的Web安全测试工具，可以用来扫描和检测XSS漏洞。

• 使用ZAP的Proxy功能拦截请求和响应。
• 使用ZAP的Active Scan功能进行自动扫描。

c. XSSer

XSSer是一款专门用于检测XSS漏洞的工具，可以通过命令行使用。

xsser -u "http://example.com/search?q=FUZZ" --auto

3. 验证XSS漏洞

a. 确认脚本执行

如果在输入测试脚本后，页面弹出警告框（如alert('XSS')），则表明存在XSS漏洞。

b. 确认漏洞类型

• 存储型XSS：提交脚本到网站并存储，访问包含该内容的页面时脚本被执行。
• 反射型XSS：在URL参数中注入脚本，访问该URL时脚本被执行。
• DOM型XSS：输入脚本到输入框，脚本在客户端执行，无需服务器参与。

c. 利用漏洞

尝试利用XSS漏洞执行更复杂的操作，如窃取Cookie、会话劫持等，进一步验证漏洞的危害性。

4. 修复建议

• 输入验证和过滤：对用户输入进行严格的验证和过滤，移除或转义潜在的恶意字符。
• 输出编码：在将用户输入输出到页面时，进行适当的编码，防止脚本执行。
• 使用HTTP头：设置Content-Security-Policy头，限制页面可以执行的脚本来源。

通过上述方法，可以有效地检测和验证XSS漏洞，并采取相应的措施进行修复。

### 🚦 期望结果

检查历史版本并尽快修复

### 📝 补充信息

_No response_

[Issues-translate-bot]

Bot detected the issue body's language is not English, translate it automatically.

---

Title: [Bug] There is an XSS vulnerability

📦 Deployment method

Docker

📌 Software version

v2.14.0

💻 System environment

Other Linux

📌 System version

Centos7

🌐 Browser

Edge

📌 Browser version

latest

🐛 Problem description

There is an XSS vulnerability

📷 Steps to reproduce

Prompt word: How to detect whether there is xss and how to verify reply:

 Cross-site scripting (XSS) is a common web security vulnerability. Attackers inject malicious scripts into web pages to steal user information or perform other malicious operations. Here's how to detect and verify XSS vulnerabilities:

### 1. Manual detection

#### a. Input test
Enter the following content in the input box of the website and observe whether it will be executed on the page:

- `<script>alert('XSS')</script>`
- `<img src=x onerror=alert('XSS')>`
- `<a href="javascript:alert('XSS')">Click Me</a>`
- `<svg/onload=alert('XSS')>`

#### b. Stored XSS testing
If the website allows users to submit content and store it on the server, try submitting the above test script, then visit the page containing the content and observe whether the script is executed.

#### c. Reflected XSS testing
If the website's response contains content entered by the user, try injecting a script in the URL parameters and observe whether the script is executed. For example:

http://example.com/search?q=

#### d. DOM type XSS testing
DOM-type XSS is a vulnerability based on client-side scripts. Try entering the following content in the input box and observe whether the script is executed:
```html
<img src=x onerror=alert('XSS')>

2. Automatic detection tool

a. Burp Suite

Burp Suite is a popular web security testing tool that can be used to scan and detect XSS vulnerabilities.

• Use Burp Suite's Proxy feature to intercept requests and responses.
• Use Burp Suite's Scanner feature for automated scanning.

b. OWASP ZAP

OWASP ZAP (Zed Attack Proxy) is an open source web security testing tool that can be used to scan and detect XSS vulnerabilities.

• Use ZAP's Proxy function to intercept requests and responses.
• Use ZAP's Active Scan feature for automatic scanning.

c. XSSer

XSSer is a tool specifically designed to detect XSS vulnerabilities and can be used through the command line.

xsser -u "http://example.com/search?q=FUZZ" --auto

3. Verify XSS vulnerabilities

a. Confirm script execution

If a warning box (such as alert('XSS')) pops up on the page after entering the test script, it indicates that there is an XSS vulnerability.

b. Confirm the vulnerability type

• Stored XSS: Submit a script to the website and store it, and the script will be executed when the page containing the content is accessed.
• Reflected XSS: Inject a script in the URL parameter, and the script will be executed when the URL is accessed.
• DOM type XSS: Enter the script into the input box, and the script is executed on the client without server participation.

c. Exploiting vulnerabilities

Try to use XSS vulnerabilities to perform more complex operations, such as stealing cookies, session hijacking, etc., to further verify the harm of the vulnerability.

4. Repair suggestions

• Input Validation and Filtering: Strictly validate and filter user input, removing or escaping potentially malicious characters.
• Output Encoding: Encode appropriately when outputting user input to the page to prevent script execution.
• Use HTTP header: Set the Content-Security-Policy header to limit the script sources that the page can execute.

Through the above methods, XSS vulnerabilities can be effectively detected and verified, and corresponding measures can be taken to repair them.

### 🚦 Expected results

Check historical versions and fix them as soon as possible

### 📝 Supplementary information

_No response_  

[lloydzhou]

这是特性不是漏洞

1. 这是artifacts功能上线之后带来的新特性。
2. 由大模型生成的html代码可以被执行渲染，方便用户能实时预览结果
3. 这个执行环境是一个iframe，是一个隔离的沙箱环境，不会对当前页面构成xss攻击
4. 当前iframe配置了sandbox="allow-forms allow-modals allow-scripts"属性

   或许应该移除allow-forms allow-modals，只保留allow-scripts即可