Closed He1345 closed 3 years ago
use regex loaction location ~ /status(|/format/json)$ {
to restrict .
is this useful?
@He1345 Thanks the bug report. I fixed it. Commit: https://github.com/vozlt/nginx-module-vts/commit/87d7de91599e4d4452c730dc70d60fd89145bfb7
Hi, Since this is a XSS vulnerability fix in the module, could we please release a new version including this modification. Appreciate in advance.
Thanks
During a recent round of pentesting, I found a reflected Cross Site Scripting bug in the /status endpoint. Injecting javascript just after the /status endpoint e.g. /status> will trigger a JavaScript alert.
So far this has been triggered in both Chrome Version 78.0.3904.108 (Official Build) (64-bit) and Firefox 70.0.1 (64-bit).
I believe the introduction of headers such as CSP (Content Security Policy) and XSS block headers may prevent some Characters or payloads from triggering, however I believe a whitelist approach of allowed characters, filtering end encoding characters and proper input validation in the URL would help secure this. If it was locked down to only serve the content when expected input is submitted (Whitelist) e.g. /status/control?cmd=status&group=&zone= (but not accepting special characters as defined in rfc3986 https://tools.ietf.org/html/rfc3986) this would also help.
In this particular environment, is was able to access this endpoint with no auth. I used a payload which generated a JavaScript alert which used a benign payload of (1), but this could be used to redirect users to malicious sites, or maybe even exploit a users browser using the BeEF framework.