search

GhostManager / Ghostwriter

The SpecterOps project management and reporting engine
https://ghostwriter.wiki
BSD 3-Clause "New" or "Revised" License
1.31k stars 181 forks source link

Stored Cross-Site Scripting - report_detail #374

Closed Xistens closed 9 months ago

Xistens commented 9 months ago

Describe the bug The finding titles used in the availableTitles JavaScript array on the report detail page (/reporting/reports/<id>) are not properly escaped.

The application does not seem to escape special characters such as single and double quotes, potentially breaking functionality such as "Mark report as complete" should a finding title contain a single quote. Additionally, this might make it possible to execute a stored cross-site scripting attack by creating a finding with a malicious title.

To Reproduce Creating a finding with the title '];alert(0);let testx = ['a will trigger an alert box when opening a report.

Expected Behavior The application should handle titles with special characters, such as a single quote.

Screenshots

image

Server Specs: N/A

Additional context N/A

chrismaddalena commented 9 months ago

Hey @Xistens, thanks for mentioning this! I appreciate you taking the time. Alex has a PR in that resolves this (linked above, #375).