It is possible to inject a command from a remote site by setting the src field of the href attribute to a malicious URL.

Now let’s see how to exploit this vulnerability in the following code.

!DOCTYPE HTML> html> head> title>Vulnerability Test/title> link rel="stylesheet" type="text/css" href="https://maxcdn.bootstrapcdn.com/font-awesome/4.3.0/css/font-awesome.min.css"> link rel="stylesheet" type="text/css" href="https://cdnjs.cloudflare.com/ajax/libs/acrontum-filesystem-template/0.0.2/css/fontAwesome.min.css"> link rel="stylesheet" type="text/css" href="https://maxcdn.bootstrapcdn.com/bootstrap/4.0.0/css/bootstrap.min.css"> link rel="stylesheet" type="text/css" href="https://cdnjs.cloudflare.com/ajax/libs/acrontum-filesystem-template/0.0.2/css/fontAwesome.min.css"> link rel="stylesheet" type="text/css" href="https://cdnjs.cloudflare.com/ajax

Steps to reproduce:

1. Open any webpage
2. Observe that the stylesheet URL is vulnerable to remote injection
3. Save the webpage with an attacker's style sheet URL as src (e.g. https://maxcdn.bootstrapcdn.com/bootstrap/4.0.0/css/bootstrap.min.css)
4. Refresh the page and observe that the attacker's style sheet is applied
5. Click on "Show more" next to a text box and observe that the text can be overwritten
6. Repeat steps 3-5 using different URLs
7, Click on "Save" next to a text box and observe that it also can be overwritten

Timeline

Published on: 08/05/2022 05:15:00 UTC
Last modified on: 08/11/2022 18:23:00 UTC

References