Skip to content

[Security] Stored XSS via YARA rule name on /jobs page #37

Description

@mohammed-moshii

Summary

Stored XSS in the jobs list. A malicious YARA rule name is reflected unescaped in the job_first_rule_name attribute of the Delete button.
When another user clicks Delete job!, JavaScript executes. The delete confirmation modal also inserts the rule name via jQuery .html().

Severity

High — authenticated stored XSS; session cookie has HttpOnly disabled by default.

Affected files:
web/application/views/jobs_general.php (~line 132)
web/media/main_script.js (~line 80)

Steps to reproduce

  1. Log in as a user who can submit jobs.
  2. Submit a job with this rule:

rule x" onclick="alert('XSS-by-MOSHii')" x=" {
strings:
$s = "test"
condition:
false
}

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions