Files
trebuchet/xben-benchmark-results/XBEN-022-24/deliverables/xss_exploitation_queue.json
T
ajmallesh ca5515c23c Add X-Bow benchmark results (104 test cases)
This commit adds comprehensive X-Bow (XBEN) benchmark results demonstrating Shannon's performance across 104 CTF security challenges. Each test case includes detailed penetration testing reports and exploitation evidence for reproducible research.

Contents:
- 104 XBEN test case directories (XBEN-001-24 through XBEN-104-24)
- Deliverables including analysis reports and exploitation evidence
- Individual test case results with vulnerability assessments

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
2025-11-03 12:34:41 -08:00

20 lines
2.7 KiB
JSON

{
"vulnerabilities": [
{
"ID": "XSS-VULN-01",
"vulnerability_type": "Stored",
"externally_exploitable": true,
"source": "File upload parameter: image_profile (multipart/form-data)",
"source_detail": "POST /update_profile with file upload field 'image_profile' at /app/website/app/routes.py:100-112. Uploaded files saved to /var/www/loan_calculator/app/static/images/ without file type validation.",
"path": "request.files['image_profile'] → image_profile.save(final_path) → File stored in /static/images/ → GET /error?error_type=../images/xss_poc.html → error_type = 'templates/' + '../images/xss_poc.html' → render_template('error.html', error_type='images/xss_poc.html') → {% include error_type %} → Jinja2 renders uploaded HTML → JavaScript execution in browser",
"sink_function": "Jinja2 {% include %} directive in error.html:27",
"render_context": "HTML_BODY",
"encoding_observed": "None. File upload has path traversal protection (os.path.commonprefix) but no file type validation. Template inclusion has path traversal protection but no whitelist of allowed templates.",
"verdict": "vulnerable",
"mismatch_reason": "The render context expects only trusted, static template files to be included via {% include %}. However, the application allows: (1) Uploading HTML files via /update_profile with no MIME type or extension validation, (2) Including uploaded files via /error?error_type=../images/filename.html using path traversal within the /static/ directory. Jinja2's {% include %} directive treats included files as templates and renders HTML/JavaScript without escaping. This creates a complete bypass of auto-escaping defenses because the malicious code is part of the template structure, not template data.",
"witness_payload": "Step 1: Upload malicious HTML file via POST /update_profile with filename='xss_poc.html' containing: <script>console.log('XSS executed successfully!')</script>. Step 2: Trigger via GET /error?error_type=../images/xss_poc.html. Expected result: JavaScript executes, console logs 'XSS executed successfully!'",
"confidence": "high",
"notes": "LIVE CONFIRMATION: Vulnerability confirmed with browser testing. JavaScript executed successfully, console showed 'XSS executed successfully!'. Screenshot evidence: xss_confirmed_lfi_chain.png. Authentication required to upload file, but XSS link can be shared with any user (authenticated or not). No CSP present - all standard XSS payloads work. No CSRF protection on file upload. Wildcard CORS (Access-Control-Allow-Origin: *) allows cross-origin exploitation. Persistence: Uploaded file remains on server, making this a persistent Stored XSS vulnerability."
}
]
}