Minor Tested URL : https://pentest-2023.beta.nuxeocloud.com/nuxeo/api/v1/automation/Collection.Suggestion
Severity : low
Criticality Justification
The impact of self-XSS can range from personal data theft and account compromise to session hijacking and malware injection. It can lead to financial loss, identity theft, and reputational damage for the victim.
Although low impact in this case, the code might be exploitable in a different part of the app for another user
Steps To Reproduce
Step 1: Login with a regular user to the Nuxeo platform Select an existent file and click on the \"Add to Collection\" button in the top right of the page (https://api.us.cobalt.io/v1/attachments/att_bKyJrht/preview)
Step 3: When selecting a Collection, place the following payload:
\\\\\\"><img scr=x onerror=alert(document.cookie)>
Step 4: The application will try to preview the collection name for creation and this will trigger the XSS
Suggested Fix
- Always treat all user input as untrusted data.
- Never insert untrusted data except in allowed locations.
- Always input or output-encode all data coming into or out of the application.
- Always whitelist allowed characters and seldom use blacklisting of characters except in certain use cases.
- Always use a well-known and security encoding API for input and output encoding such as the OWASP ESAPI.
- Never try to write input and output encoders unless absolutely necessary. Chances are that someone has already written a good one.
- Never use the DOM function innerHtml and instead use the functions innerText and textContent to prevent against DOM-based XSS.
- As a best practice, consider using the HTTPOnly flag on cookies that are session tokens or sensitive tokens.
- As a best practice, consider implementing Content Security Policy to protect against XSS and other injection type attacks.
- As a best practice, consider using an auto-escaping templating system. 11. As a best practice, consider using the X-XSS-Protection response header
Prerequisites
Authenticated user required