In this post, I will share some writeups on the free challenges in BugBountyHunter platform. I encourage everyone to check out the site https://www.bugbountyhunter.com/.
How does the feature works? If you select the dropdown option, the image will be rendered with special effects using CSS. In the img tag, we can see the selected option value will appear in class.
What could go wrong? The POST request looks suspicious.
Request
There is no server side validation of the imageClass value. You can send any value and it will be reflected in the response.
Response
We can try sending a few payloads to test for XSS issue. First, we can modify the imageClass value to imageClass=helloworld" onload="alert(1)". The response return a class="1" in the tag. We can try imageClass=helloworld" onclick="alert(1)". The response also return class="1" in the tag.
It seems like there is some blacklisting of some keywords such as onload or onclick etc. Hence we need to find the event handler method that is not blacklisted. Fortunately, this payload was not blocked: img2" onpointerup="alert('xss').
When we click on the image in the browser, the malicious script is executed.
“FrontAccounting ERP is open source, web-based accounting software for small and medium enterprises. It supports double entry accounting providing both low level journal entry and user friendly, document based interface for everyday business activity with automatic GL postings generation.” Source: https://github.com/FrontAccountingERP/FA
I have an opportunity to work with the developer of FrontAccounting to fix a Stored XSS issue due to unrestricted File upload. This was an educational experience to learn about the usability and security tradeoff in Open Source Project when fixing the issue. More details can be found in the bug tracker.
Issue Summary
In the attachment function, the user is allowed to attach a file to a particular existing transaction. However, I observed that there is no restriction on the type of files that are allowed to be uploaded.
I managed to upload a malicious SVG file that contains JavaScript. Since there was no validation on the file extension, the file was uploaded successfully.
When I opened up the attachment item, I can see that the malicious SVG file was uploaded.
Now, if another user have opened this attached file, then an alert box will appear.
Recommendations
The best method is to adopt a Secure by Default approach by restricting the file type to be uploaded. This approach will reduce the attack surfaces. For example, does the application require SVG file to be uploaded? Perhaps the filetype be restricted to PDF, PNG, JPEG, DOCX, etc.
If SVG is required, sanitize the uploaded SVG file:
https://github.com/darylldoyle/svg-sanitizer
If sanitization is not possible, please follow these approaches:
Load the SVG from image tags as this will prevent scripts from running.
Use “content-disposition: attachment” – this force the file to be downloaded.
Set Content Security Policy (CSP) to disallow inline JavaScript.
This is a write-up on public disclosed CVE-2019-11776 where a Cross Site Scripting (Reflected) was found in the __format URL parameter by Vineet Pandey.
So far in my journey, I have done quite a few of Pentesterlab exercises. From these exercises, I learned how important it is to perform a practical testing of any disclosed vulnerabilities as it builds up your system administrative skills (setting up server etc.) and imagine the attack flow for any future applications that you will be testing. You can jump straight into the exploit demonstration first if that interests you more.
Configuring Tomcat
Install Tomcat in your machine (using the exe or zip) and go to the folder location. In this write-up, I am using Tomcat version 8.5. You will find a similar directory as below:
Navigate to the conf folder and open the tomcat-users.xml file (note that the password is for testing and should not be used for production). Add the following lines between the <xml> and <tomcat-users> tag as you need the credentials to login to the manager gui later on.
After you download the zip file, you should unzip the content into a folder. In this particular folder, look for the WebViewerExample folder.
Copy the entire WebViewerExample folder to Tomcat’s webapps folder. Rename the copied folder to birt-viewer.
Go back to the Tomcat’s bin folder and run the startup script (in Windows, it will be startup.bat. The resources will now be hosted under localhost:8080. Then open the following URL in your browser (http://localhost:8080/manager/html). The credential will be prompted (enter the credential that you earlier used in the tomcat-users.xml file). You should see that birt-viewer is running.
Demonstrating the Vulnerability
After Tomcat and BIRT Viewer are configured, you should open this endpoint:
You will see a Parameter UI box appearing. In the CustomerNumber, enter 1 and then click OK. This will generate a report from test1.rptdesign template.
Now click on the print report button (see circled icon in the screenshot below). Choose HTML and click OK.
There will be a new Window popping out and the prompt you to print the report. Now, cancel the print action. What we are interested is the URL of this Window pop-out. Copy this URL and then close the Window.
From the HTML source, you can see that our appended payload is appearing in the <script> tag. It seems like the viewer is generating the format string dynamically. If we add abc, then the string will become htmlabc (as seen below).
Now, let’s try to close the html string and then insert another value. You will find that we can actually break out of the format variable to call another method.
