Stored XSS On Rengine

[mufazmi]

Is there an existing issue for this?

• I have searched the existing issues

Current Behavior

I have identified a stored Cross-Site Scripting (XSS) vulnerability in the "rengine" automated testing tool. The vulnerability allows an attacker to inject malicious code into the application. The specific steps to reproduce the issue include logging into the application, navigating to the scan configuration page, adding a target with a malicious website URL (https://umairfarooqui.000webhostapp.com/), initiating a scan, and observing the stored XSS payload in the website title.

Expected Behavior

I expect the "rengine" application to properly validate and sanitize user inputs, preventing the injection of malicious scripts. The application should encode output appropriately to avoid the execution of scripts when displaying user-generated content, such as the website title. Additionally, implementing a Content Security Policy (CSP) and conducting regular security audits should help mitigate the risk of XSS attacks. I recommend prompt application updates and communication with the vendor to address and resolve the identified vulnerability.

Steps To Reproduce

Log in to the "rengine" application.

Navigate to the scan configuration page.

Add a target of a malicious website. URL: https://umairfarooqui.000webhostapp.com/

Click on the "Initiate Scan" button.

Choose a scan engine and configure it as needed.

Click "Start" to initiate the scan.

After some time, the application will store the title of the website, which contains an XSS payload. The stored payload looks like this:

<td>Admin Page <video src="_" onloadstart="alert(1)"> '';!--"<script>alert(0);</script>=&amp;{(alert(1))} | mufazmi</video></td>

POC Website Code:

<!DOCTYPE html>
<html>
<head>
    <title>Admin Page &lt;video src&#x3D;_ onloadstart&#x3D;&quot;alert(1)&quot;&gt; &#x27;&#x27;;!--&quot;&lt;script&gt;alert(0);&lt;/script&gt;&#x3D;&amp;{(alert(1))} | mufazmi</title>

    <meta name="title" content="&lt;video src&#x3D;_ onloadstart&#x3D;&quot;alert(1)&quot;&gt; &#x27;&#x27;;!--&quot;&lt;script&gt;alert(0);&lt;/script&gt;&#x3D;&amp;{(alert(1))}" data-dynamic="true">
    
</html>

To trigger the XSS:
Visit the page where the stored title is displayed. (urls page)
POC (Unlisted Youtube Video):

https://youtu.be/RVcmXYrEsv4

Environment

- reNgine: 
- Browser:

Anything else?

UPDATE :
I've continued to investigate and it appears that this XSS vulnerability is not limited to just one location. I've identified several other places within the "rengine" application where similar vulnerabilities exist. This suggests a broader issue that needs immediate attention.

Payload :

POC : https://youtu.be/LWTinBf_qZ0

Impact
This stored XSS vulnerability could have a severe impact on the security and integrity of the "rengine" application and its users. The potential consequences include:

Unauthorized access: An attacker can execute arbitrary JavaScript code within the context of the victim's session, leading to unauthorized actions on behalf of the victim.

Data theft: Attackers can steal sensitive data, such as cookies, session tokens, or user information, from logged-in users.

Phishing attacks: The attacker can craft malicious pages to deceive users and collect their credentials or personal information.

Malicious actions: The attacker can perform actions on behalf of the victim, such as changing account settings, initiating scans, or modifying configuration.

[github-actions]

👋 Hi @mufazmi,
Issues is only for reporting a bug/feature request. Please read documentation before raising an issue https://rengine.wiki
For very limited support, questions, and discussions, please join reNgine Discord channel: https://discord.gg/azv6fzhNCE
Please include all the requested and relevant information when opening a bug report. Improper reports will be closed without any response.

[0xtejas]

Documentation says most of the characters are filtered. I wonder how this issue can be resolved 🤔