Summary
Stored Cross-Site Scripting (XSS) vulnerability allows attackers to inject malicious scripts into web applications, which can then be executed in the context of other users' browsers. This can lead to unauthorized access to sensitive information, session hijacking, and spreading of malware, impacting user data privacy and application integrity.
Details
A user with rights to modificate the service (e.g. kuiperUser role) can inject XSS Payload into Rule id parameter. Then, after any user with access to this service (e.g. admin) will try make any modifications with the rule (update, run, stop, delete), a payload will act in victim's browser.
The issue appears as the notification to user is made in an insafe way:
https://github.com/lf-edge/ekuiper/blob/dbce32d5a195cf1de949b3a6a4e29f0df0f3330d/internal/server/rest.go#L681
https://github.com/lf-edge/ekuiper/blob/dbce32d5a195cf1de949b3a6a4e29f0df0f3330d/internal/server/rest.go#L716
https://github.com/lf-edge/ekuiper/blob/dbce32d5a195cf1de949b3a6a4e29f0df0f3330d/internal/server/rest.go#L735
https://github.com/lf-edge/ekuiper/blob/dbce32d5a195cf1de949b3a6a4e29f0df0f3330d/internal/server/rest.go#L794
https://github.com/lf-edge/ekuiper/blob/dbce32d5a195cf1de949b3a6a4e29f0df0f3330d/internal/server/rest.go#L809
https://github.com/lf-edge/ekuiper/blob/dbce32d5a195cf1de949b3a6a4e29f0df0f3330d/internal/server/rest.go#L824
Such writing to 'http.ResponseWriter' bypasses HTML escaping that prevents cross-site scripting vulnerabilities.
Because of the some (meybe protection) mechanisms a real exploitation is possible only with limited special characters, but this is enough to construct a strong payload
PoC
- Create a rule with id:
<iframe src="javascript:alert`1337`">
- Just after Rule Submition the Payload shoots:
- Then, when another user (e.g.
admin) will try to do something with this rule (e.g. start), the payload shoots in his context:
Impact
Stored Cross-site Scripting (XSS) vulnerability
Reported by Alexey Kosmachev, Lead Pentester from Bi.Zone
References
TheMostKnown Reporter
ngjaying Coordinator
Summary
Stored Cross-Site Scripting (XSS) vulnerability allows attackers to inject malicious scripts into web applications, which can then be executed in the context of other users' browsers. This can lead to unauthorized access to sensitive information, session hijacking, and spreading of malware, impacting user data privacy and application integrity.
Details
A user with rights to modificate the service (e.g. kuiperUser role) can inject XSS Payload into Rule
idparameter. Then, after any user with access to this service (e.g. admin) will try make any modifications with the rule (update, run, stop, delete), a payload will act in victim's browser.The issue appears as the notification to user is made in an insafe way:
https://github.com/lf-edge/ekuiper/blob/dbce32d5a195cf1de949b3a6a4e29f0df0f3330d/internal/server/rest.go#L681
https://github.com/lf-edge/ekuiper/blob/dbce32d5a195cf1de949b3a6a4e29f0df0f3330d/internal/server/rest.go#L716
https://github.com/lf-edge/ekuiper/blob/dbce32d5a195cf1de949b3a6a4e29f0df0f3330d/internal/server/rest.go#L735
https://github.com/lf-edge/ekuiper/blob/dbce32d5a195cf1de949b3a6a4e29f0df0f3330d/internal/server/rest.go#L794
https://github.com/lf-edge/ekuiper/blob/dbce32d5a195cf1de949b3a6a4e29f0df0f3330d/internal/server/rest.go#L809
https://github.com/lf-edge/ekuiper/blob/dbce32d5a195cf1de949b3a6a4e29f0df0f3330d/internal/server/rest.go#L824
Such writing to 'http.ResponseWriter' bypasses HTML escaping that prevents cross-site scripting vulnerabilities.
Because of the some (meybe protection) mechanisms a real exploitation is possible only with limited special characters, but this is enough to construct a strong payload
PoC
admin) will try to do something with this rule (e.g. start), the payload shoots in his context:Impact
Stored Cross-site Scripting (XSS) vulnerability
Reported by Alexey Kosmachev, Lead Pentester from Bi.Zone
References