From d7c983c46f10238b691aa1e4052560f77ddd9ae2 Mon Sep 17 00:00:00 2001 From: Ryan Rudder <96507400+RRudder@users.noreply.github.com> Date: Mon, 16 Oct 2023 13:29:25 +1000 Subject: [PATCH 1/3] Depreciation of IE11 XSS findings and update to IE Only as P5 Updates based on VRT update #366 Deprecation of XSS on IE11 https://github.com/bugcrowd/vulnerability-rating-taxonomy/pull/366 --- .../ie_only/ie_eleven/.gitkeep | 0 .../ie_only/ie_eleven/recommendations.md | 16 --------- .../ie_only/ie_eleven/template.md | 30 ---------------- .../ie_only/older_version_ie_eleven/.gitkeep | 0 .../recommendations.md | 16 --------- .../older_version_ie_eleven/template.md | 30 ---------------- .../ie_only/xss_filter_disabled/.gitkeep | 0 .../xss_filter_disabled/recommendations.md | 16 --------- .../ie_only/xss_filter_disabled/template.md | 34 ------------------- 9 files changed, 142 deletions(-) delete mode 100644 submissions/description/cross_site_scripting_xss/ie_only/ie_eleven/.gitkeep delete mode 100644 submissions/description/cross_site_scripting_xss/ie_only/ie_eleven/recommendations.md delete mode 100644 submissions/description/cross_site_scripting_xss/ie_only/ie_eleven/template.md delete mode 100644 submissions/description/cross_site_scripting_xss/ie_only/older_version_ie_eleven/.gitkeep delete mode 100644 submissions/description/cross_site_scripting_xss/ie_only/older_version_ie_eleven/recommendations.md delete mode 100644 submissions/description/cross_site_scripting_xss/ie_only/older_version_ie_eleven/template.md delete mode 100644 submissions/description/cross_site_scripting_xss/ie_only/xss_filter_disabled/.gitkeep delete mode 100644 submissions/description/cross_site_scripting_xss/ie_only/xss_filter_disabled/recommendations.md delete mode 100644 submissions/description/cross_site_scripting_xss/ie_only/xss_filter_disabled/template.md diff --git a/submissions/description/cross_site_scripting_xss/ie_only/ie_eleven/.gitkeep b/submissions/description/cross_site_scripting_xss/ie_only/ie_eleven/.gitkeep deleted file mode 100644 index e69de29b..00000000 diff --git a/submissions/description/cross_site_scripting_xss/ie_only/ie_eleven/recommendations.md b/submissions/description/cross_site_scripting_xss/ie_only/ie_eleven/recommendations.md deleted file mode 100644 index 09d5860c..00000000 --- a/submissions/description/cross_site_scripting_xss/ie_only/ie_eleven/recommendations.md +++ /dev/null @@ -1,16 +0,0 @@ -# Recommendation(s) - -There is no single technique to stop XSS from occurring. However, implementing the right combination of defensive measures within the application will prevent and limit the impact of XSS. Some best practices include the following: - -- All user input fields should be sanitized based on what the field is likely to contain. For example, a date field (01/01/2001) should only contain a maximum of 10 characters consisting of numbers and forward slashes. Additionally, drop down or pick lists can be used for allowable inputs to ensure expected values are sent to the server. -- Use appropriate HTTP response headers to ensure the browser correctly interprets responses. These should be customized specific to the application and its environment. For example: - -``` HTTP -X-Content-Type-Options: nosniff -Content-Security-Policy: default-src ‘self’; script-src ‘self’ -``` - -For more information, please see the Open Web Application Security Project (OWASP) guides located at: - -- -- diff --git a/submissions/description/cross_site_scripting_xss/ie_only/ie_eleven/template.md b/submissions/description/cross_site_scripting_xss/ie_only/ie_eleven/template.md deleted file mode 100644 index 4c22d163..00000000 --- a/submissions/description/cross_site_scripting_xss/ie_only/ie_eleven/template.md +++ /dev/null @@ -1,30 +0,0 @@ -# Cross-Site Scripting (Internet Explorer 11) - -## Overview of the Vulnerability - -Cross-Site Scripting (XSS) is a type of injection attack where malicious JavaScript is injected into a website. When a user visits the affected web page, the Javascript executes within that user’s browser in the context of the domain. This instance of XSS can be found on the domain which allows an attacker to control code that is executed within a user’s Internet Explorer 11 browser. - -From here, an attacker could carry out any actions that the user is able to perform, including accessing any of the user's data and modifying information within the user’s permissions. This can result in modification, deletion, or theft of data, including accessing or deleting files, or stealing session cookies which an attacker could use to hijack a user’s session. - -## Business Impact - -XSS could lead to data theft through the attacker’s ability to manipulate data through their access to the application, and their ability to interact with other users, including performing other malicious attacks, which would appear to originate from a legitimate user. These malicious actions could also result in reputational damage for the business through the impact to customers’ trust. - -## Steps to Reproduce - -1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP -1. Use an Internet Explorer 11 browser to navigate to: {{URL}} -1. Forward the following request to the endpoint: - -```HTTP -{{request}} -``` - -1. Log into an account and navigate to URL which contains the payload -1. Observe the JavaScript payload being executed - -## Proof of Concept (PoC) - -Below is a screenshot demonstrating the injected JavaScript executing: - -{{screenshot}} diff --git a/submissions/description/cross_site_scripting_xss/ie_only/older_version_ie_eleven/.gitkeep b/submissions/description/cross_site_scripting_xss/ie_only/older_version_ie_eleven/.gitkeep deleted file mode 100644 index e69de29b..00000000 diff --git a/submissions/description/cross_site_scripting_xss/ie_only/older_version_ie_eleven/recommendations.md b/submissions/description/cross_site_scripting_xss/ie_only/older_version_ie_eleven/recommendations.md deleted file mode 100644 index 09d5860c..00000000 --- a/submissions/description/cross_site_scripting_xss/ie_only/older_version_ie_eleven/recommendations.md +++ /dev/null @@ -1,16 +0,0 @@ -# Recommendation(s) - -There is no single technique to stop XSS from occurring. However, implementing the right combination of defensive measures within the application will prevent and limit the impact of XSS. Some best practices include the following: - -- All user input fields should be sanitized based on what the field is likely to contain. For example, a date field (01/01/2001) should only contain a maximum of 10 characters consisting of numbers and forward slashes. Additionally, drop down or pick lists can be used for allowable inputs to ensure expected values are sent to the server. -- Use appropriate HTTP response headers to ensure the browser correctly interprets responses. These should be customized specific to the application and its environment. For example: - -``` HTTP -X-Content-Type-Options: nosniff -Content-Security-Policy: default-src ‘self’; script-src ‘self’ -``` - -For more information, please see the Open Web Application Security Project (OWASP) guides located at: - -- -- diff --git a/submissions/description/cross_site_scripting_xss/ie_only/older_version_ie_eleven/template.md b/submissions/description/cross_site_scripting_xss/ie_only/older_version_ie_eleven/template.md deleted file mode 100644 index afc80721..00000000 --- a/submissions/description/cross_site_scripting_xss/ie_only/older_version_ie_eleven/template.md +++ /dev/null @@ -1,30 +0,0 @@ -# Cross-Site Scripting (Internet Explorer Older Than 11) - -## Overview of the Vulnerability - -Cross-Site Scripting (XSS) is a type of injection attack where malicious JavaScript is injected into a website. When a user visits the affected web page, the Javascript executes within that user’s browser in the context of the domain. This instance of XSS can be found on the domain listed, which allows an attacker to insert code that is executed within the user's browser, as long as it is Internet Explorer prior to Version 11. - -From here, an attacker could carry out any actions that the user is able to perform, including accessing any of the user's data and modifying information within the user’s permissions. This can result in modification, deletion, or theft of data, including accessing or deleting files, or stealing session cookies which an attacker could use to hijack a user’s session. - -## Business Impact - -XSS could lead to data theft through the attacker’s ability to manipulate data through their access to the application, and their ability to interact with other users, including performing other malicious attacks, which would appear to originate from a legitimate user. These malicious actions could also result in reputational damage for the business through the impact to customers’ trust. - -## Steps to Reproduce - -1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP -1. Use an Internet Explorer browser older than version 11 to navigate to: {{URL}} -1. Forward the following request to the endpoint: - -```HTTP -{{request}} -``` - -1. Log into an account and navigate to URL which contains the payload -1. Observe the JavaScript payload being executed - -## Proof of Concept (PoC) - -Below is a screenshot demonstrating the injected JavaScript executing: - -{{screenshot}} diff --git a/submissions/description/cross_site_scripting_xss/ie_only/xss_filter_disabled/.gitkeep b/submissions/description/cross_site_scripting_xss/ie_only/xss_filter_disabled/.gitkeep deleted file mode 100644 index e69de29b..00000000 diff --git a/submissions/description/cross_site_scripting_xss/ie_only/xss_filter_disabled/recommendations.md b/submissions/description/cross_site_scripting_xss/ie_only/xss_filter_disabled/recommendations.md deleted file mode 100644 index 09d5860c..00000000 --- a/submissions/description/cross_site_scripting_xss/ie_only/xss_filter_disabled/recommendations.md +++ /dev/null @@ -1,16 +0,0 @@ -# Recommendation(s) - -There is no single technique to stop XSS from occurring. However, implementing the right combination of defensive measures within the application will prevent and limit the impact of XSS. Some best practices include the following: - -- All user input fields should be sanitized based on what the field is likely to contain. For example, a date field (01/01/2001) should only contain a maximum of 10 characters consisting of numbers and forward slashes. Additionally, drop down or pick lists can be used for allowable inputs to ensure expected values are sent to the server. -- Use appropriate HTTP response headers to ensure the browser correctly interprets responses. These should be customized specific to the application and its environment. For example: - -``` HTTP -X-Content-Type-Options: nosniff -Content-Security-Policy: default-src ‘self’; script-src ‘self’ -``` - -For more information, please see the Open Web Application Security Project (OWASP) guides located at: - -- -- diff --git a/submissions/description/cross_site_scripting_xss/ie_only/xss_filter_disabled/template.md b/submissions/description/cross_site_scripting_xss/ie_only/xss_filter_disabled/template.md deleted file mode 100644 index 93495d5a..00000000 --- a/submissions/description/cross_site_scripting_xss/ie_only/xss_filter_disabled/template.md +++ /dev/null @@ -1,34 +0,0 @@ -# Cross-Site Scripting (Internet Explorer XSS Filter Disabled) - -## Overview of the Vulnerability - -Cross-Site Scripting (XSS) is a type of injection attack where malicious JavaScript is injected into a website. When a user visits the affected web page, the Javascript executes within that user’s browser in the context of the domain. XSS can be found on the domain listed which allows an attacker to insert code that is executed within the user's browser, given that it is Internet Explorer which has been misconfigured with XSS Filtering being disabled. - -From here, an attacker could carry out any actions that the user is able to perform, including accessing any of the user's data and modifying information within the user’s permissions. This can result in modification, deletion, or theft of data, including accessing or deleting files, or stealing session cookies which an attacker could use to hijack a user’s session. - -## Business Impact - -XSS could lead to data theft through the attacker’s ability to manipulate data through their access to the application, and their ability to interact with other users, including performing other malicious attacks, which would appear to originate from a legitimate user. These malicious actions could also result in reputational damage for the business through the impact to customers’ trust. - -## Steps to Reproduce - -1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP -1. Use an Internet Explorer browser to navigate to: {{URL}} -1. Using the HTTP interception proxy, intercept the page and observe in the HTTP response header for the XSS filter is missing: - -{{Screenshot}} - -1. Forward the following request to the endpoint: - -```HTTP -{{request}} -``` - -1. Log into an account and navigate to URL which contains the payload -1. Observe the JavaScript payload being executed - -## Proof of Concept (PoC) - -Below is a screenshot demonstrating the injected JavaScript executing: - -{{screenshot}} From 2f7c978dbe6f1ecae0fa73b9faa6e25457d05daa Mon Sep 17 00:00:00 2001 From: Ryan Rudder <96507400+RRudder@users.noreply.github.com> Date: Mon, 16 Oct 2023 13:32:25 +1000 Subject: [PATCH 2/3] Updated wording within template to align with P5 impact --- .../cross_site_scripting_xss/ie_only/template.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/submissions/description/cross_site_scripting_xss/ie_only/template.md b/submissions/description/cross_site_scripting_xss/ie_only/template.md index d922634e..d3884756 100644 --- a/submissions/description/cross_site_scripting_xss/ie_only/template.md +++ b/submissions/description/cross_site_scripting_xss/ie_only/template.md @@ -4,16 +4,16 @@ Cross-Site Scripting (XSS) is a type of injection attack where malicious JavaScript is injected into a website. When a user visits the affected web page, the Javascript executes within that user’s browser in the context of the domain. This instance of XSS can be found on the domain which allows an attacker to control code that is executed within a user’s Internet Explorer browser. -From here, an attacker could carry out any actions that the user is able to perform, including accessing any of the user's data and modifying information within the user’s permissions. This can result in modification, deletion, or theft of data, including accessing or deleting files, or stealing session cookies which an attacker could use to hijack a user’s session. +From here, an attacker could carry out any actions that the user is able to perform, including accessing any of the user's data and modifying information within the user’s permissions. ## Business Impact -XSS could lead to data theft through the attacker’s ability to manipulate data through their access to the application, and their ability to interact with other users, including performing other malicious attacks, which would appear to originate from a legitimate user. These malicious actions could also result in reputational damage for the business through the impact to customers’ trust. +XSS could result in reputational damage for the business through the impact to customers’ trust. ## Steps to Reproduce 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP -1. Use an Internet Explorer 11 browser to navigate to: {{URL}} +1. Use an Internet Explorer browser to navigate to: {{URL}} 1. Forward the following request to the endpoint: ```HTTP From d32fd351141b659969a5400529dbe782ca4a515d Mon Sep 17 00:00:00 2001 From: RRudder <96507400+RRudder@users.noreply.github.com> Date: Wed, 25 Oct 2023 15:38:48 +1000 Subject: [PATCH 3/3] Minor grammar update --- .../cross_site_scripting_xss/ie_only/template.md | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/submissions/description/cross_site_scripting_xss/ie_only/template.md b/submissions/description/cross_site_scripting_xss/ie_only/template.md index d3884756..0aa3e8c3 100644 --- a/submissions/description/cross_site_scripting_xss/ie_only/template.md +++ b/submissions/description/cross_site_scripting_xss/ie_only/template.md @@ -2,9 +2,7 @@ ## Overview of the Vulnerability -Cross-Site Scripting (XSS) is a type of injection attack where malicious JavaScript is injected into a website. When a user visits the affected web page, the Javascript executes within that user’s browser in the context of the domain. This instance of XSS can be found on the domain which allows an attacker to control code that is executed within a user’s Internet Explorer browser. - -From here, an attacker could carry out any actions that the user is able to perform, including accessing any of the user's data and modifying information within the user’s permissions. +Cross-Site Scripting (XSS) is a type of injection attack where malicious JavaScript is injected into a website. When a user visits the affected web page, the Javascript executes within that user’s browser in the context of the domain. This instance of XSS can be found on the domain which allows an attacker to control code that is executed within a user’s Internet Explorer browser. From here, an attacker could carry out any actions that the user is able to perform, including accessing any of the user's data and modifying information within the user’s permissions. ## Business Impact @@ -25,6 +23,6 @@ XSS could result in reputational damage for the business through the impact to c ## Proof of Concept (PoC) -Below is a screenshot demonstrating the injected JavaScript executing: +The following screenshot(s) demonstrate(s) this vulnerability: {{screenshot}}