HTML-escaping of xss payload in NodeJS Applcation Path

[hunterale]

📊 Metadata *

Bounty URL: https://www.huntr.dev/bounties/1-other-openfire-nodejs-plugin/

⚙️ Description *

In the field of Nodejs Application path in the page of the plugin, the (dangerous) characters of the vulnerable field that can cause an XSS are transformed in a way the are not dangerous any more

💻 Technical Description *

The XSS payload was inserted in the html template without escaping the dangerous characters. The fix is using the method that HTML-escapes dangerous characters in the apache.commons.text (already present in the pom of the project); the field content is now rendered in a safe way without causing xss

🐛 Proof of Concept (PoC) *

The video shows how the payload triggers the XSS after saving the change. The version of the plugin is the one on the marketplace

xss_nodejs.mp4

🔥 Proof of Fix (PoF) *

The video shows that the payload doesn't trigger XSS anymore thantk to escaping some characters. The version of the plugin is 0.1.2-SNAPSHOT.

fixed_xss_nodejs.mp4

👍 User Acceptance Testing (UAT)

After the fix, the page is still working correctly as before the fix and the XSS is not triggered anymore. All the changes made are on the way the page is rendered and no backend business logic has been changed, preserving correct functionality-

[JamieSlome]

👋 Hello, @guusdk - @hunterale has opened a PR to us with a fix for a potential vulnerability in your repository. To view the vulnerability, please refer to the bounty URL in the first comment, above.

Ultimately, you get to decide if the fix is 👍 or 👎. If you are happy with the fix, please write a new comment (@huntr-helper - LGTM) and we will open a PR to your repository with the fix. All remaining PRs for this vulnerability will be automatically closed.

If you have any questions or need support, come and join us on our community Discord!

@guusdk & @hunterale - thank you for your efforts in securing the world’s open source code! 🎉