l4rm4nd
commented
2 months ago Open l4rm4nd opened 2 months ago
l4rm4nd
commented
2 months ago l4rm4nd
commented
2 months ago frontend/package.json:
Note: Webpack 5 suggested by Dependabot won't work due to cache-loader. We have to keep using webpack 4.
{
"name": "xsshunter-express-frontend",
"version": "1.0.0",
"private": true,
"description": "An easy to set up and use instance of XSS Hunter.",
"author": "mandatory",
"scripts": {
"serve": "vue-cli-service serve --open",
"build": "vue-cli-service build",
"e2e": "node test/e2e/runner.js",
"lint": "vue-cli-service lint",
"dev": "vue-cli-service serve --open",
"lint-fix": "vue-cli-service lint --fix"
},
"dependencies": {
"@deveodk/vue-toastr": "^1.1.0",
"chart.js": "^2.9.3",
"eslint": "^7.32.0",
"i": "^0.3.6",
"moment": "^2.29.1",
"npm": "^10.8.2",
"toastr": "^2.1.4",
"vue": "^2.6.11",
"vue-chartjs": "^3.5.0",
"vue-clipboard2": "^0.3.1",
"vue-codemirror": "^4.0.6",
"vue-highlightjs": "^1.3.3",
"vue-i18n": "^8.18.2",
"vue-moment": "^4.1.0",
"vue-router": "^3.3.4",
"vue-router-prefetch": "^1.6.0",
"vue-toastr-2": "0.0.10",
"vue2-transitions": "^0.3.0"
},
"devDependencies": {
"@vue/cli-plugin-babel": "^4.5.7",
"@vue/cli-plugin-eslint": "^5.0.8",
"@vue/cli-plugin-pwa": "^4.4.6",
"@vue/cli-service": "^4.4.6",
"cache-loader": "^4.1.0",
"sass": "1.56.2",
"sass-loader": "10.1.1",
"vue-cli-plugin-i18n": "^2.3.2",
"vue-template-compiler": "^2.7.16",
"webpack": "^4.47.0"
},
"browserslist": [
"> 1%",
"last 2 versions",
"not ie <= 11"
]
}requirements.txt:
click==8.0.3
colorama==0.4.4
Flask==2.2.5
itsdangerous==2.0.1
Jinja2==3.1.4
MarkupSafe==2.1.1
Werkzeug==3.0.3
gunicorn==22.0.0These changes brings CVEs down to:
And XSSHunter is still working.
rs-loves-bugs
commented
2 months ago Thanks, I don't have a nice test suite to check how these affects the application so this will take a while to figure out if something breaks or not. Do you think there's any serious that should be mitigated as soon as possible?
Do note that the Python server is not reachable so it can't be exploited.
l4rm4nd
commented
2 months ago Thanks, I don't have a nice test suite to check how these affects the application so this will take a while to figure out if something breaks or not. Do you think there's any serious that should be mitigated as soon as possible?
Do note that the Python server is not reachable so it can't be exploited.
No idea about exploitability. Have not had a detailed look at the CVEs. However, it's always good to fix publicly known vulnerabilities. Most of them are likely not exploitable by an unauthenticated attacker though.
I've forked your repo (some time ago) and implemented a Docker image build process. Within this fork, I've already upgraded the mentioned packages via Dependabot. Seems to work totally fine. BXSS vectors are properly identified and secret scanning via trufflehog works fine too. Auth via email and password too. Have not tested the Social Login thing with a Google account though.