blob: ce4de7783f6bc12730b0ec5bfaaf0ea7fd496d10 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
|
## Exploit
1. There is a clickable image that links to `http://10.0.2.15/?page=media&src=nsa`
1. The application uses the `src` query parameter as the value of the `data` attribute of an `<object>` element **without validation**
1. Thus, one can exploit XSS by supplying a `data:` URL instead of the expected image reference (nsa) in `src`
1. Request `curl "http://10.0.2.15/?page=media&src=data:text/html;base64,$(echo -n '<script>alert(123)</script>' | base64)" | grep flag` to get the flag.
## Fix
[https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/07-Input_Validation_Testing/01-Testing_for_Reflected_Cross_Site_Scripting.html]()
Do not place untrusted user input directly into the `data` attribute of an `<object>` element. Only allow strict server-side mapping to expected media resources, and reject dangerous schemes such as `data:` and `javascript:` (i.e. sanitize user input).
|
