Skip to content

Month: September 2020

Finding Stored XSS in File Upload

Published by Bobby Lin on September 29, 2020

FrontAccounting ERP is open source, web-based accounting software for small and medium enterprises. It supports double entry accounting providing both low level journal entry and user friendly, document based interface for everyday business activity with automatic GL postings generation.”
Source: https://github.com/FrontAccountingERP/FA

I have an opportunity to work with the developer of FrontAccounting to fix a Stored XSS issue due to unrestricted File upload. This was an educational experience to learn about the usability and security tradeoff in Open Source Project when fixing the issue. More details can be found in the bug tracker.

Issue Summary

In the attachment function, the user is allowed to attach a file to a particular existing transaction. However, I observed that there is no restriction on the type of files that are allowed to be uploaded.

I managed to upload a malicious SVG file that contains JavaScript. Since there was no validation on the file extension, the file was uploaded successfully.

When I opened up the attachment item, I can see that the malicious SVG file was uploaded.

Now, if another user have opened this attached file, then an alert box will appear.

Recommendations

  • The best method is to adopt a Secure by Default approach by restricting the file type to be uploaded. This approach will reduce the attack surfaces. For example, does the application require SVG file to be uploaded? Perhaps the filetype be restricted to PDF, PNG, JPEG, DOCX, etc.
  • If SVG is required, sanitize the uploaded SVG file:
    • https://github.com/darylldoyle/svg-sanitizer
  • If sanitization is not possible, please follow these approaches:
    • Load the SVG from image tags as this will prevent scripts from running.
    • Use “content-disposition: attachment” – this force the file to be downloaded.
    • Set Content Security Policy (CSP) to disallow inline JavaScript.
    • Combine (2) and (3) for double protection.

References:
https://security.stackexchange.com/questions/148507/how-to-prevent-xss-in-svg-file-upload

https://book.hacktricks.xyz/pentesting-web/file-upload#imagetragic

https://cheatsheetseries.owasp.org/cheatsheets/File_Upload_Cheat_Sheet.html

GraphQL Notes

Published by Bobby Lin on September 12, 2020

Types of Common Vulnerabilities

SQL injection

Access Control

Information Disclosure

NoSQL Injection

How to turn ON or OFF the GraphQL Interface?

GraphQL Interface (https://hostname:port/graphql)

Toggle between true or false for the parameter graphiql. Note that you can still send query via the API request even if the interface is turned off.

Reference