You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This vulnerability was detected using XBOW, a system that autonomously finds and exploits potential security vulnerabilities. The finding has been thoroughly reviewed and validated by a security researcher before submission. While XBOW is intended to work autonomously, during its development human experts ensure the accuracy and relevance of its reports.
Description
A Cross-site Scripting (XSS) vulnerability was discovered in CyberChef v10.19.4 in the recipe parameter handling. The vulnerability allows an attacker to inject arbitrary JavaScript code that gets executed when the victim visits a specially crafted URL.
The vulnerability exists because CyberChef's recipe parser does not properly sanitize the 'op' field in recipe objects. When a malformed recipe containing HTML/JavaScript in the operation name is loaded, the content is rendered into the page DOM, allowing script execution.
This vulnerability can be classified as a DOM-based XSS since the payload is part of the URL hash which gets parsed and rendered by the client-side JavaScript.
Steps to reproduce
Create a malicious recipe object containing an HTML img tag with an onerror event handler in the "op" field:
Construct a URL to CyberChef using the encoded payload in the #recipe parameter, such as #recipe=%5b%7b%0a%20%20%22%6f%70%22%3a%20%22%3c%69%6d%67%20%73%72%63%3d%78%20%6f%6e%65%72%72%6f%72%3d%61%6c%65%72%74%28%27%58%53%53%27%29%3e%22%2c%0a%20%20%22%61%72%67%73%22%3a%20%5b%22%78%22%5d%0a%7d%5d
When a victim visits the URL, the malformed recipe is loaded and the XSS payload executes
Implement proper input validation and sanitization for recipe parameters
Strip or encode HTML special characters in operation names before rendering them to the DOM
Consider implementing a Content Security Policy (CSP) to restrict script execution
Only allow known operation names from a whitelist
Impact
The vulnerability allows execution of arbitrary JavaScript code in the victim's browser context when they visit a malicious URL. This could lead to misleading analysis from operators.
The text was updated successfully, but these errors were encountered:
Disclaimer
This vulnerability was detected using XBOW, a system that autonomously finds and exploits potential security vulnerabilities. The finding has been thoroughly reviewed and validated by a security researcher before submission. While XBOW is intended to work autonomously, during its development human experts ensure the accuracy and relevance of its reports.
Description
A Cross-site Scripting (XSS) vulnerability was discovered in CyberChef v10.19.4 in the recipe parameter handling. The vulnerability allows an attacker to inject arbitrary JavaScript code that gets executed when the victim visits a specially crafted URL.
The vulnerability exists because CyberChef's recipe parser does not properly sanitize the 'op' field in recipe objects. When a malformed recipe containing HTML/JavaScript in the operation name is loaded, the content is rendered into the page DOM, allowing script execution.
This vulnerability can be classified as a DOM-based XSS since the payload is part of the URL hash which gets parsed and rendered by the client-side JavaScript.
Steps to reproduce
#recipe=%5b%7b%0a%20%20%22%6f%70%22%3a%20%22%3c%69%6d%67%20%73%72%63%3d%78%20%6f%6e%65%72%72%6f%72%3d%61%6c%65%72%74%28%27%58%53%53%27%29%3e%22%2c%0a%20%20%22%61%72%67%73%22%3a%20%5b%22%78%22%5d%0a%7d%5d
https://gchq.github.io/CyberChef/#recipe=%5b%7b%0a%20%20%22%6f%70%22%3a%20%22%3c%69%6d%67%20%73%72%63%3d%78%20%6f%6e%65%72%72%6f%72%3d%61%6c%65%72%74%28%27%58%53%53%27%29%3e%22%2c%0a%20%20%22%61%72%67%73%22%3a%20%5b%22%78%22%5d%0a%7d%5d
Mitigations
Impact
The vulnerability allows execution of arbitrary JavaScript code in the victim's browser context when they visit a malicious URL. This could lead to misleading analysis from operators.
The text was updated successfully, but these errors were encountered: