Technical Analysis of "Stored Cross-site Scripting (XSS) on Pass Culture"

Overview:
The write-up by AETH details discovering and exploiting a Stored Cross-site Scripting (XSS) vulnerability within the Pass Culture web application. This type of vulnerability allows an attacker to inject arbitrary JavaScript into the application’s HTML content, which is then stored and executed within the context of the user's browser.

Key Technical Details:

1. Vulnerability Identification:
   The researcher identified an input field vulnerable to stored XSS by examining the web application's interaction with its backend APIs. Stored XSS typically occurs when the application stores user input in a database and then includes this stored data in the output HTML without proper sanitization.

2. Exploitation Path:

3. Input Points: The vulnerability was found in an input field used for creating or editing articles within the application. The specific endpoint handling these requests did not sanitize the input properly.
4. Payload Injection: The attacker could insert a JavaScript payload into this input field. The typical payload format used for exploitation might look like: html <script>alert('XSS');</script>

5. Payload Storage: Once injected, the payload is stored in the application's database and retrieved and rendered in the browser upon subsequent visits to the affected page.

6. JavaScript Execution:

7. Execution Context: When the application renders stored content onto the page, the payload executes within the context of the user's session. This execution can lead to hijacking user sessions, stealing cookies, or executing actions on behalf of the user.

8. Real-World Impact: The write-up demonstrates the script being executed when viewing the infected article, showing how malicious actions can be performed without user knowledge.

9. Mitigation and Recommendations:

10. Input Sanitization: The primary preventative measure is proper sanitization of user input. This involves escaping characters that can disrupt HTML context and using libraries designed to sanitize HTML, such as DOMPurify.
11. Output Encoding: Encoding the output ensures that any potentially harmful scripts are rendered harmless. For example, converting < to < and > to >.

Technical Demonstration:

The article provides the following proof-of-concept payload that demonstrates how an attacker can construct and inject a malicious script:

<script>alert('XSS by AETH');?></script>

Steps to Reproduce: 1. Access the Vulnerable Page: Navigate to the page where you can create or edit an article. 2. Inject Payload: Enter the malicious payload in the input field (e.g., the title or content of an article). 3. Save the Article: Submit the form to save the article, which stores the injected script in the database. 4. Trigger Execution: View the article with the stored payload to trigger JavaScript execution in the browser.

Key Takeaways:

• Understanding Stored XSS: Unlike reflected XSS, which requires a crafted link, stored XSS involves persistent storage of the payload in the server, making it more dangerous.
• Sanitization Approaches: Proper input sanitization and output encoding can prevent such vulnerabilities. Utilizing security libraries to handle sanitization tasks helps ensure comprehensive protection.
• Importance of Security Testing: Regular security audits and testing can identify such vulnerabilities. Automated scanners combined with manual penetration testing provide a robust validation framework.
• User Awareness: Educating users about the risks of XSS and proper handling techniques helps in creating a security-aware culture.

Conclusion:

The stored XSS vulnerability in Pass Culture exemplifies the critical need for rigorous input validation and output encoding practices. This write-up highlights a common security pitfall and provides concrete examples of how such vulnerabilities can be discovered and exploited, underscoring the importance of adhering to best practices in web application security.

For full details, check the original blog post here.