XSS Reflected and XXE Vulnerability Changes #432
Conversation
XSS reflected validations update
removing directory
XSS Reflected Fix
XSS Reflected Message Update
|
Hi @hexxdump Please take a look at the changes. |
@Prince-1110 , |
@hexxdump yeah sure. @Prince-1110 thanks for the PR, give me a day and i will review it. |
| @@ -201,4 +201,63 @@ public ResponseEntity<String> getVulnerablePayloadLevelSecure( | |||
| return new ResponseEntity<>(HttpStatus.BAD_REQUEST); | |||
| } | |||
| } | |||
|
|
|||
| // Escape all the input which provides eval expression in a payload | |||
There was a problem hiding this comment.
the below method is also escaping other things apart from eval. isn't it?
|
|
||
| String vulnerablePayloadWithPlaceHolder = "<img src=%s width=\"400\" height=\"300\"/>"; | ||
|
|
||
| String payload = |
There was a problem hiding this comment.
what is the difference between level 8 and level 9?
| vulnerabilityExposed = VulnerabilityType.REFLECTED_XSS, | ||
| description = | ||
| "XSS_HTML_ESCAPE_ON_DIRECT_INPUT_AND_REMOVAL_OF_ONLOAD_FUNCTIONS_WITH_PARENTHESIS_SRC_ATTRIBUTE_IMG_TAG") | ||
| @VulnerableAppRequestMapping(value = LevelConstants.LEVEL_10, htmlTemplate = "LEVEL_1/XSS") |
There was a problem hiding this comment.
this one is also same as level 9. am i missing something?
| @RequestParam Map<String, String> queryParams) { | ||
| String vulnerablePayloadWithPlaceHolder = "<div>%s<div>"; | ||
| StringBuilder payload = new StringBuilder(); | ||
| Pattern pattern = Pattern.compile("eval\\((.*?)\\)"); |
There was a problem hiding this comment.
can you please add an extra blacklist defence to level 3 here?
There was a problem hiding this comment.
or make it as level 2 as first level has not defence and level 2 has eval based defence and then move other levels to next levels like level3 becomes level 4 and so on.
| vulnerabilityExposed = VulnerabilityType.REFLECTED_XSS, | ||
| description = | ||
| "XSS_DIRECT_INPUT_DIV_TAG_AFTER_REMOVING_VALUES_CONTAINING_ONLOAD_EXPRESSION") | ||
| @VulnerableAppRequestMapping(value = LevelConstants.LEVEL_10, htmlTemplate = "LEVEL_1/XSS") |
There was a problem hiding this comment.
so we can reformat, level 8 method which you created can be called level 2, level 9 can be called level 3, level 10 can be called level 4 and then currently level 2 and level 3 can be called level 5 and level 6 respectively.
| return new ResponseEntity<String>(payload.toString(), HttpStatus.OK); | ||
| } | ||
|
|
||
| // Just adding User defined input(Untrusted Data) into div tag if contains |
There was a problem hiding this comment.
please add the possible payloads to break the levels.
|
|
||
| @AttackVector( | ||
| vulnerabilityExposed = VulnerabilityType.REFLECTED_XSS, | ||
| description = "XSS_DIRECT_INPUT_DIV_TAG_AFTER_REMOVING_VALUES_CONTAINING_PARANOID") |
There was a problem hiding this comment.
better to add more description than just paranoid values.
| @@ -49,6 +52,9 @@ XSS_DIRECT_INPUT_DIV_TAG=Html Tag is directly injected into div tag. | |||
| XSS_DIRECT_INPUT_DIV_TAG=Url Parameters are added directly into div tag. | |||
| XSS_DIRECT_INPUT_DIV_TAG_AFTER_REMOVING_VALUES_CONTAINING_ANCHOR_SCRIPT_AND_IMG_TAG=Url Parameters are added directly into the div tag if they are not having Script/Image and Anchor tag. | |||
| XSS_DIRECT_INPUT_DIV_TAG_AFTER_REMOVING_VALUES_CONTAINING_ANCHOR_SCRIPT_IMG_TAG_AND_ALERT_KEYWORD=Url Parameters are added directly into the div tag if they are not having Script/Image/Anchor tag and Javascript and Alert keywords. | |||
| XSS_DIRECT_INPUT_DIV_TAG_AFTER_REMOVING_VALUES_CONTAINING_EVAL_EXPRESSION=Url Parameters are added into the div tag if they are not having eval expression. | |||
| XSS_DIRECT_INPUT_DIV_TAG_AFTER_REMOVING_VALUES_CONTAINING_PARANOID=Url Parameter are added into the div tag if they are not having paranoid structure inside the url. | |||
There was a problem hiding this comment.
I think it is better to specify what is paranoid structure.
| @@ -49,6 +52,9 @@ XSS_DIRECT_INPUT_DIV_TAG=Html Tag is directly injected into div tag. | |||
| XSS_DIRECT_INPUT_DIV_TAG=Url Parameters are added directly into div tag. | |||
| XSS_DIRECT_INPUT_DIV_TAG_AFTER_REMOVING_VALUES_CONTAINING_ANCHOR_SCRIPT_AND_IMG_TAG=Url Parameters are added directly into the div tag if they are not having Script/Image and Anchor tag. | |||
| XSS_DIRECT_INPUT_DIV_TAG_AFTER_REMOVING_VALUES_CONTAINING_ANCHOR_SCRIPT_IMG_TAG_AND_ALERT_KEYWORD=Url Parameters are added directly into the div tag if they are not having Script/Image/Anchor tag and Javascript and Alert keywords. | |||
| XSS_DIRECT_INPUT_DIV_TAG_AFTER_REMOVING_VALUES_CONTAINING_EVAL_EXPRESSION=Url Parameters are added into the div tag if they are not having eval expression. | |||
| XSS_DIRECT_INPUT_DIV_TAG_AFTER_REMOVING_VALUES_CONTAINING_PARANOID=Url Parameter are added into the div tag if they are not having paranoid structure inside the url. | |||
| XSS_DIRECT_INPUT_DIV_TAG_AFTER_REMOVING_VALUES_CONTAINING_ONLOAD_EXPRESSION=Url Parameters are added directly into the div tag if the input url not having eval expressions. | |||
There was a problem hiding this comment.
| XSS_DIRECT_INPUT_DIV_TAG_AFTER_REMOVING_VALUES_CONTAINING_ONLOAD_EXPRESSION=Url Parameters are added directly into the div tag if the input url not having eval expressions. | |
| XSS_DIRECT_INPUT_DIV_TAG_AFTER_REMOVING_VALUES_CONTAINING_ONLOAD_EXPRESSION=Url Parameters are added directly into the div tag if the input url not having onload expressions. |
| * | ||
| * @author KSASAN [email protected] | ||
| */ | ||
| @VulnerableAppRestController(descriptionLabel = "XXE_VULNERABILITY", value = "XXEVulnerability") |
There was a problem hiding this comment.
I think this file was already existing. can you please check?
| InputStream in = request.getInputStream(); | ||
| // disabling external Entities and parameter Entities | ||
| SAXParserFactory spf = SAXParserFactory.newInstance(); | ||
| spf.setFeature("http://javax.xml.XMLConstants/feature/secure-processing", true); |
There was a problem hiding this comment.
I was checking this flag and seems like by default it is enabled for SAXparser.
https://docs.oracle.com/en/java/javase/13/security/java-api-xml-processing-jaxp-security-guide.html#GUID-88B04BE2-35EF-4F61-B4FA-57A0E9102342.
Also, don't we need other flags to make this level secure?
| InputStream in = request.getInputStream(); | ||
| // disabling external Entities and parameter Entities | ||
| SAXParserFactory spf = SAXParserFactory.newInstance(); | ||
| spf.setFeature("http://javax.xml.XMLConstants/property/accessExternalStylesheet", ""); |
There was a problem hiding this comment.
without below lines
spf.setFeature("http://javax.xml.XMLConstants/property/accessExternalSchema", "");
spf.setFeature("http://javax.xml.XMLConstants/property/accessExternalDTD", "");
will this be secure implementation?
No description provided.