What steps will reproduce one of the problems?
A.persistent XSS via urlToScan parameter of scanner.php
screenshot 'persistent XSS_1.jpg' attacked
1. attempt to scan http://test123.com/<script>alert(1)</script> URL
2. the scan will start
3. check the scan history section. previously injected XSS payload is now
executed
4. checking source of HTTP response returned when accessing history.php
resource shows the user provide URL is nor properly escaped before being
displayed to the user - thus allowing successful XSS attacks:
<tr><td align='center'>642</td><td align='left'>Wednesday 17th October 2012
03:02:01 PM</td><td
align='left'>http://test123.com/<script>alert(1)</script></td><td
align='center'>0</td><td align='center'><a href="scanner/reports/Test_642.pdf"
target="_blank">View</a></td></tr></table></p>
</div>
</div>
</div>
<!--MiddleRow END-->
4. the following code from scan_history.php is to blame for this (the line
displaying the unsafe unescaped scanned URL):
echo '<table border="3" width="900"><tr><th>ID</th><th>Start
Time</th><th>URL</th><th>No. Vulnerabilities</th><th>Report</th></tr>';
for($i=0; $i<$numRows; $i++)
{
$row = $result->fetch_object();
$id = $row->id;
$startTime = $row->start_timestamp;
$startTimeFormatted = date('l jS F Y h:i:s A', $startTime);
$url = $row->url;
$numVulns = 'Unknown';
$query = "SELECT * FROM test_results WHERE test_id = $id";
$resultTwo = $db->query($query);
if($resultTwo)
$numVulns = $resultTwo->num_rows;
$report = '<a href="scanner/reports/Test_' . $id . '.pdf" target="_blank">View</a>';
echo '<tr>';
echo "<td align='center'>$id</td>";
echo "<td align='left'>$startTimeFormatted</td>";
echo "<td align='left'>$url</td>";
echo "<td align='center'>$numVulns</td>";
echo "<td align='center'>$report</td>";
echo '</tr>';
}
echo '</table>';
B. some other XSS vulnerabilities for scanner.php resource
- reflected XSS via autoc parameter
- reflected XSS via basqli parameter
- reflected XSS via sqli parameter
- reflected XSS via urlToScan parameter
What is the expected output? What do you see instead?
The product should not vulnerable to XSS attacks, while it is
What version of the product are you using? On what operating system?
webvulscan_v0.12
Please provide any additional information below.
Recommendations:
1. Validate all user provided input using a white-list approach (known good
characters) and regular expressions
2. All user provided data is properly escaped before being rendered/displayed
as part of webvulscan forms. Use PHP best practices to enforce proper character
escaping based
on the context where such content is being used (HTML code, JavaScript code,
etc).
Original issue reported on code.google.com by marian.v...@gmail.com on 17 Oct 2012 at 2:18
Original issue reported on code.google.com by
marian.v...@gmail.com
on 17 Oct 2012 at 2:18Attachments: