dermotblair / webvulscan

Web Application Vulnerability Scanner.
https://code.google.com/p/webvulscan/
GNU General Public License v3.0
149 stars 73 forks source link

Multiple XSS vulnerabilities #14

Open GoogleCodeExporter opened 9 years ago

GoogleCodeExporter commented 9 years ago
What steps will reproduce one of the problems?

A.persistent XSS via urlToScan parameter of scanner.php 

screenshot 'persistent XSS_1.jpg' attacked

1. attempt to scan http://test123.com/<script>alert(1)</script> URL
2. the scan will start
3. check the scan history section. previously injected XSS payload is now 
executed

4. checking source of HTTP response returned when accessing history.php 
resource shows the user provide URL is nor properly escaped before being 
displayed to the user - thus allowing successful XSS attacks:

<tr><td align='center'>642</td><td align='left'>Wednesday 17th October 2012 
03:02:01 PM</td><td 
align='left'>http://test123.com/<script>alert(1)</script></td><td 
align='center'>0</td><td align='center'><a href="scanner/reports/Test_642.pdf" 
target="_blank">View</a></td></tr></table></p>
    </div>
  </div>
</div>
<!--MiddleRow END--> 

4. the following code from scan_history.php is to blame for this (the line 
displaying the unsafe unescaped scanned URL):

echo '<table border="3" width="900"><tr><th>ID</th><th>Start 
Time</th><th>URL</th><th>No. Vulnerabilities</th><th>Report</th></tr>';
            for($i=0; $i<$numRows; $i++)
            {
                $row = $result->fetch_object();
                $id = $row->id;
                $startTime = $row->start_timestamp;
                $startTimeFormatted = date('l jS F Y h:i:s A', $startTime);
                $url = $row->url;

                $numVulns = 'Unknown';
                $query = "SELECT * FROM test_results WHERE test_id = $id";
                $resultTwo = $db->query($query);
                if($resultTwo)
                    $numVulns = $resultTwo->num_rows;

                $report = '<a href="scanner/reports/Test_' . $id . '.pdf" target="_blank">View</a>';

                echo '<tr>';
                echo "<td align='center'>$id</td>";
                echo "<td align='left'>$startTimeFormatted</td>";
                echo "<td align='left'>$url</td>";
                echo "<td align='center'>$numVulns</td>";
                echo "<td align='center'>$report</td>";
                echo '</tr>';

            }
            echo '</table>';

B. some other XSS vulnerabilities for scanner.php resource

- reflected XSS via autoc parameter
- reflected XSS via basqli parameter
- reflected XSS via sqli parameter
- reflected XSS via urlToScan parameter

What is the expected output? What do you see instead?
The product should not vulnerable to XSS attacks, while it is

What version of the product are you using? On what operating system?
webvulscan_v0.12

Please provide any additional information below.

Recommendations:

1. Validate all user provided input using a white-list approach (known good 
characters) and regular expressions

2. All user provided data is properly escaped before being rendered/displayed 
as part of webvulscan forms. Use PHP best practices to enforce proper character 
escaping based
on the context where such content is being used (HTML code, JavaScript code, 
etc).

Original issue reported on code.google.com by marian.v...@gmail.com on 17 Oct 2012 at 2:18

Attachments:

GoogleCodeExporter commented 9 years ago

Original comment by webvuls...@gmail.com on 22 Oct 2012 at 11:14

GoogleCodeExporter commented 9 years ago

Original comment by webvuls...@gmail.com on 22 Oct 2012 at 11:15

GoogleCodeExporter commented 9 years ago

Original comment by webvuls...@gmail.com on 22 Oct 2012 at 11:16