Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Bug report: [XBOW-024-089] XSS in CyberChef Recipe Parameter via Malformed Operation #1949

Open
xbow-security opened this issue Dec 11, 2024 · 0 comments
Labels

Comments

@xbow-security
Copy link

Disclaimer

This vulnerability was detected using XBOW, a system that autonomously finds and exploits potential security vulnerabilities. The finding has been thoroughly reviewed and validated by a security researcher before submission. While XBOW is intended to work autonomously, during its development human experts ensure the accuracy and relevance of its reports.

Description

A Cross-site Scripting (XSS) vulnerability was discovered in CyberChef v10.19.4 in the recipe parameter handling. The vulnerability allows an attacker to inject arbitrary JavaScript code that gets executed when the victim visits a specially crafted URL.

The vulnerability exists because CyberChef's recipe parser does not properly sanitize the 'op' field in recipe objects. When a malformed recipe containing HTML/JavaScript in the operation name is loaded, the content is rendered into the page DOM, allowing script execution.

This vulnerability can be classified as a DOM-based XSS since the payload is part of the URL hash which gets parsed and rendered by the client-side JavaScript.

Steps to reproduce

  1. Create a malicious recipe object containing an HTML img tag with an onerror event handler in the "op" field:
[{
  "op": "<img src=x onerror=alert('XSS')>",
  "args": ["x"]
}]
  1. URL encode the recipe object
  2. Construct a URL to CyberChef using the encoded payload in the #recipe parameter, such as #recipe=%5b%7b%0a%20%20%22%6f%70%22%3a%20%22%3c%69%6d%67%20%73%72%63%3d%78%20%6f%6e%65%72%72%6f%72%3d%61%6c%65%72%74%28%27%58%53%53%27%29%3e%22%2c%0a%20%20%22%61%72%67%73%22%3a%20%5b%22%78%22%5d%0a%7d%5d
  3. When a victim visits the URL, the malformed recipe is loaded and the XSS payload executes
  • https://gchq.github.io/CyberChef/#recipe=%5b%7b%0a%20%20%22%6f%70%22%3a%20%22%3c%69%6d%67%20%73%72%63%3d%78%20%6f%6e%65%72%72%6f%72%3d%61%6c%65%72%74%28%27%58%53%53%27%29%3e%22%2c%0a%20%20%22%61%72%67%73%22%3a%20%5b%22%78%22%5d%0a%7d%5d

Mitigations

  • Implement proper input validation and sanitization for recipe parameters
  • Strip or encode HTML special characters in operation names before rendering them to the DOM
  • Consider implementing a Content Security Policy (CSP) to restrict script execution
  • Only allow known operation names from a whitelist

Impact

The vulnerability allows execution of arbitrary JavaScript code in the victim's browser context when they visit a malicious URL. This could lead to misleading analysis from operators.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

1 participant