search

ThomasTJdev / nim_websitecreator

Nim fullstack website framework - deploy a website within minutes
https://nimwc.org
MIT License
176 stars 7 forks source link

Vulnerability: XSS Attack + Bug #138

Closed thisago closed 3 years ago

thisago commented 3 years ago

XSS

This XSS Attack allows injecting HTML in web page, allowing creating a JS payload that sends to attacker all victim cookies, stealing the session.

Affected page

https://nimwc.org/login

Reproducing

The GET paramemeter msg injects the data inside of HTML directly without sanitize the user input

Example

This example call alert with your cookies: https://nimwc.org/login?msg=%3Cscript%3Ealert(%22XSS%20attack.%20Your%20cookies:%20%22);%20alert(document.cookie)%3C/script%3E

Fix

For fix, just sanitize the received msg data to replace the special HTML elements like: '<' and '>'.

Bug

This is a extra vulnerability that have relationship with same parameter

If payload includes %do, the Jester server gives an route error

https://nimwc.org/login?msg=%do

ThomasTJdev commented 3 years ago

Hi @thisago

Thank you for asking. You may post it here, otherwise you can email it to me.

thisago commented 3 years ago

Ok I will post here because i already made the Markdown

ThomasTJdev commented 3 years ago

Thank you @thisago. I have included a sanitizing in commit 24076e9.

The error with %do is because the test-platform was compiled with Nim 1.2. This has been fixed in current stable verison https://github.com/nim-lang/Nim/issues/14082.