Xib3rR4dAr/WP_plugin_Embed-Swagger_XSS_PoC.md

## 2 changes: 1 addition & 1 deletion WP_plugin_Embed-Swagger_XSS_PoC.md
@@ -11,7 +11,7 @@

    <tr><td>Vulnerable Parameter</td><td>url</td></tr>
<tr><td>Vulnerable Parameter</td><td>url</td></tr>

    <tr><td>Proof of Concept</td><td>/wp-content/plugins/embed-swagger/swagger-iframe.php?url=xss://"-alert(document.domain)-"</td></tr>
<tr><td>Proof of Concept</td><td>/wp-content/plugins/embed-swagger/swagger-iframe.php?url=xss://"-alert(document.domain)-"</td></tr>

    <tr><td>Google Dork</td><td>inurl:/wp-content/plugins/embed-swagger</td></tr>
<tr><td>Google Dork</td><td>inurl:/wp-content/plugins/embed-swagger</td></tr>

    <tr><td>CVE</td><td>N/A</td></tr>
<tr><td>CVE</td><td>N/A</td></tr>

    <tr><td>CVE</td><td>CVE-2022-0381</td></tr>
<tr><td>CVE</td><td>CVE-2022-0381</td></tr>

    </table>
</table>


    ### Description
### Description


## 6 changes: 5 additions & 1 deletion WP_plugin_Embed-Swagger_XSS_PoC.md
@@ -39,10 +39,14 @@ Function `filter_var` with second argument `FILTER_VALIDATE_URL` is used to chec

    Line 59 prints value of parameter `url` without escaping or encoding it properly.
Line 59 prints value of parameter `url` without escaping or encoding it properly.


    ### Fix
### Fix

    Remove `<?php echo urlencode($url); ?>` from line 59. There is no need for this since value of `url` parameter is fetched from URL using JavaScript.
Remove `<?php echo urlencode($url); ?>` from line 59. There is no need for this since value of `url` parameter is fetched from URL using JavaScript.

    Remove `<?php echo $url; ?>` from line 59. There is no need for this since value of `url` parameter is fetched from URL using JavaScript. Or urlencode `$url` on line 59
Remove `<?php echo $url; ?>` from line 59. There is no need for this since value of `url` parameter is fetched from URL using JavaScript. Or urlencode `$url` on line 59

    ```php
```php

    59:						url: "",
59:						url: "",

    ```
```

    or
or

    ```php
```php

    59:						url: "<?php echo urlencode($url); ?>",
59:						url: "<?php echo urlencode($url); ?>",

    ```
```


    ### Impact
### Impact

    An attacker can share a crafted URL with victim, which when clicked/visted by victim will allow an attacker to execute malicious JavaScript in victim's browser. If any logged in admin/user is targeted, it can be used to perform administrative tasks which can lead to Remote Code Execution.
An attacker can share a crafted URL with victim, which when clicked/visted by victim will allow an attacker to execute malicious JavaScript in victim's browser. If any logged in admin/user is targeted, it can be used to perform administrative tasks which can lead to Remote Code Execution.


## 14 changes: 9 additions & 5 deletions WP_plugin_Embed-Swagger_XSS_PoC.md
@@ -1,3 +1,5 @@

    # WordPress Plugin Embed Swagger 1.0.0 - Reflected Cross-Site Scripting
# WordPress Plugin Embed Swagger 1.0.0 - Reflected Cross-Site Scripting


    <table>
<table>

    <tr><td>Exploit Title</td><td>WordPress Plugin Embed Swagger 1.0.0 - Reflected Cross-Site Scripting</td></tr>
<tr><td>Exploit Title</td><td>WordPress Plugin Embed Swagger 1.0.0 - Reflected Cross-Site Scripting</td></tr>

    <tr><td>Exploit Author</td><td>Muhammad Zeeshan (Xib3rR4dAr)</td></tr>
<tr><td>Exploit Author</td><td>Muhammad Zeeshan (Xib3rR4dAr)</td></tr>
@@ -12,7 +14,7 @@

    <tr><td>CVE</td><td>N/A</td></tr>
<tr><td>CVE</td><td>N/A</td></tr>

    </table>
</table>


    ## Description
## Description

    ### Description
### Description

    The shortcode provided by **Embed Swagger** plugin allows embedding Swagger json/yaml files into WordPress pages and posts. An iframe is used to host the external content, with some styling to mesh it with the host page or post. The external spec is rendered using Swagger UI.
The shortcode provided by **Embed Swagger** plugin allows embedding Swagger json/yaml files into WordPress pages and posts. An iframe is used to host the external content, with some styling to mesh it with the host page or post. The external spec is rendered using Swagger UI.

    During pentest of a client's wordpress site, enumerated that plugin named **Embed Swagger** v1.0.0 is in use. It allowed to import Swagger files from external URLs via **url** parameter and displayed them. Tried XSS via malicious json/yaml file hosted on external server but it was not vulnerable. Downloaded plugin for a code review and found that in file **embed-swagger/swagger-iframe.php**,  **url** parameter is reflected back in JavaScript context if input is a valid URL.
During pentest of a client's wordpress site, enumerated that plugin named **Embed Swagger** v1.0.0 is in use. It allowed to import Swagger files from external URLs via **url** parameter and displayed them. Tried XSS via malicious json/yaml file hosted on external server but it was not vulnerable. Downloaded plugin for a code review and found that in file **embed-swagger/swagger-iframe.php**,  **url** parameter is reflected back in JavaScript context if input is a valid URL.


@@ -22,8 +24,9 @@ During pentest of a client's wordpress site, enumerated that plugin named **Embe


    Function `filter_var` with second argument `FILTER_VALIDATE_URL` is used to check if URL is valid. A malicious URL such as `http://example.com/?id="-alert(1)-"` can be passed as input which will get reflected as `url: "http://example.com/?id="-alert(document.domain)-""` in JavaScript context leading to XSS.
Function `filter_var` with second argument `FILTER_VALIDATE_URL` is used to check if URL is valid. A malicious URL such as `http://example.com/?id="-alert(1)-"` can be passed as input which will get reflected as `url: "http://example.com/?id="-alert(document.domain)-""` in JavaScript context leading to XSS.


    ## Vulnerable Code
## Vulnerable Code

    ### Vulnerable Code
### Vulnerable Code

    **Vulerable File:** `/wp-content/plugins/embed-swagger/swagger-iframe.php:59`
**Vulerable File:** `/wp-content/plugins/embed-swagger/swagger-iframe.php:59`


    **Vulnerable Code:**
**Vulnerable Code:**

    ```php
```php

    ...
...
@@ -35,18 +38,19 @@ Function `filter_var` with second argument `FILTER_VALIDATE_URL` is used to chec

    ```
```

    Line 59 prints value of parameter `url` without escaping or encoding it properly.
Line 59 prints value of parameter `url` without escaping or encoding it properly.


    ## Fix
## Fix

    ### Fix
### Fix

    Remove `<?php echo urlencode($url); ?>` from line 59. There is no need for this since value of `url` parameter is fetched from URL using JavaScript.
Remove `<?php echo urlencode($url); ?>` from line 59. There is no need for this since value of `url` parameter is fetched from URL using JavaScript.

    ```php
```php

    59:						url: "",
59:						url: "",

    ```
```


    ## Impact
## Impact

    ### Impact
### Impact

    An attacker can share a crafted URL with victim, which when clicked/visted by victim will allow an attacker to execute malicious JavaScript in victim's browser. If any logged in admin/user is targeted, it can be used to perform administrative tasks which can lead to Remote Code Execution.
An attacker can share a crafted URL with victim, which when clicked/visted by victim will allow an attacker to execute malicious JavaScript in victim's browser. If any logged in admin/user is targeted, it can be used to perform administrative tasks which can lead to Remote Code Execution.


    ## Proof of Concept
## Proof of Concept

    ### Proof of Concept
### Proof of Concept


    **Payload:** `xss://"-alert(document.domain)-"`
**Payload:** `xss://"-alert(document.domain)-"`


    **PoC:** `http://127.0.0.1/wp-content/plugins/embed-swagger/swagger-iframe.php?url=xss://"-alert(document.domain)-"`
**PoC:** `http://127.0.0.1/wp-content/plugins/embed-swagger/swagger-iframe.php?url=xss://"-alert(document.domain)-"`


    ![image](https://user-images.githubusercontent.com/24238512/150699193-2872cbc7-7604-44b8-a93c-59d708ee0201.png)
![image](https://user-images.githubusercontent.com/24238512/150699193-2872cbc7-7604-44b8-a93c-59d708ee0201.png)


## 55 changes: 55 additions & 0 deletions WP_plugin_Embed-Swagger_XSS_PoC.md
@@ -0,0 +1,55 @@

    <table>
<table>

    <tr><td>Exploit Title</td><td>WordPress Plugin Embed Swagger 1.0.0 - Reflected Cross-Site Scripting</td></tr>
<tr><td>Exploit Title</td><td>WordPress Plugin Embed Swagger 1.0.0 - Reflected Cross-Site Scripting</td></tr>

    <tr><td>Exploit Author</td><td>Muhammad Zeeshan (Xib3rR4dAr)</td></tr>
<tr><td>Exploit Author</td><td>Muhammad Zeeshan (Xib3rR4dAr)</td></tr>

    <tr><td>Date</td><td>January 21, 2022</td></tr>
<tr><td>Date</td><td>January 21, 2022</td></tr>

    <tr><td>Plugin Link</td><td><a href="https://wordpress.org/plugins/embed-swagger/">Embed Swagger</a></td></tr>
<tr><td>Plugin Link</td><td><a href="https://wordpress.org/plugins/embed-swagger/">Embed Swagger</a></td></tr>

    <tr><td>Version</td><td>1.0.0 (Latest)</td></tr>
<tr><td>Version</td><td>1.0.0 (Latest)</td></tr>

    <tr><td>Tested on</td><td>Wordpress 5.8.3</td></tr>
<tr><td>Tested on</td><td>Wordpress 5.8.3</td></tr>

    <tr><td>Vulnerable File:Line</td><td>/wp-content/plugins/embed-swagger/swagger-iframe.php:59</td></tr>
<tr><td>Vulnerable File:Line</td><td>/wp-content/plugins/embed-swagger/swagger-iframe.php:59</td></tr>

    <tr><td>Vulnerable Parameter</td><td>url</td></tr>
<tr><td>Vulnerable Parameter</td><td>url</td></tr>

    <tr><td>Proof of Concept</td><td>/wp-content/plugins/embed-swagger/swagger-iframe.php?url=xss://"-alert(document.domain)-"</td></tr>
<tr><td>Proof of Concept</td><td>/wp-content/plugins/embed-swagger/swagger-iframe.php?url=xss://"-alert(document.domain)-"</td></tr>

    <tr><td>Google Dork</td><td>inurl:/wp-content/plugins/embed-swagger</td></tr>
<tr><td>Google Dork</td><td>inurl:/wp-content/plugins/embed-swagger</td></tr>

    <tr><td>CVE</td><td>N/A</td></tr>
<tr><td>CVE</td><td>N/A</td></tr>

    </table>
</table>


    ## Description
## Description

    The shortcode provided by **Embed Swagger** plugin allows embedding Swagger json/yaml files into WordPress pages and posts. An iframe is used to host the external content, with some styling to mesh it with the host page or post. The external spec is rendered using Swagger UI.
The shortcode provided by **Embed Swagger** plugin allows embedding Swagger json/yaml files into WordPress pages and posts. An iframe is used to host the external content, with some styling to mesh it with the host page or post. The external spec is rendered using Swagger UI.

    During pentest of a client's wordpress site, enumerated that plugin named **Embed Swagger** v1.0.0 is in use. It allowed to import Swagger files from external URLs via **url** parameter and displayed them. Tried XSS via malicious json/yaml file hosted on external server but it was not vulnerable. Downloaded plugin for a code review and found that in file **embed-swagger/swagger-iframe.php**,  **url** parameter is reflected back in JavaScript context if input is a valid URL.
During pentest of a client's wordpress site, enumerated that plugin named **Embed Swagger** v1.0.0 is in use. It allowed to import Swagger files from external URLs via **url** parameter and displayed them. Tried XSS via malicious json/yaml file hosted on external server but it was not vulnerable. Downloaded plugin for a code review and found that in file **embed-swagger/swagger-iframe.php**,  **url** parameter is reflected back in JavaScript context if input is a valid URL.


    ![image](https://user-images.githubusercontent.com/24238512/150692246-eee9f58e-197e-4375-a852-2d8ca137b0a0.png)
![image](https://user-images.githubusercontent.com/24238512/150692246-eee9f58e-197e-4375-a852-2d8ca137b0a0.png)


    ![image](https://user-images.githubusercontent.com/24238512/150692308-1d2cd71c-dd43-4c30-a0aa-bee05099e3d2.png)
![image](https://user-images.githubusercontent.com/24238512/150692308-1d2cd71c-dd43-4c30-a0aa-bee05099e3d2.png)


    Function `filter_var` with second argument `FILTER_VALIDATE_URL` is used to check if URL is valid. A malicious URL such as `http://example.com/?id="-alert(1)-"` can be passed as input which will get reflected as `url: "http://example.com/?id="-alert(document.domain)-""` in JavaScript context leading to XSS.
Function `filter_var` with second argument `FILTER_VALIDATE_URL` is used to check if URL is valid. A malicious URL such as `http://example.com/?id="-alert(1)-"` can be passed as input which will get reflected as `url: "http://example.com/?id="-alert(document.domain)-""` in JavaScript context leading to XSS.


    ## Vulnerable Code
## Vulnerable Code

    **Vulerable File:** `/wp-content/plugins/embed-swagger/swagger-iframe.php:59`
**Vulerable File:** `/wp-content/plugins/embed-swagger/swagger-iframe.php:59`

    **Vulnerable Code:**
**Vulnerable Code:**

    ```php
```php

    ...
...

    8:	$url = $_GET['url'];
8:	$url = $_GET['url'];

    9:	$url = filter_var( $url, FILTER_VALIDATE_URL );
9:	$url = filter_var( $url, FILTER_VALIDATE_URL );

    ...
...

    59:						url: "<?php echo $url; ?>",
59:						url: "<?php echo $url; ?>",

    ...
...

    ```
```

    Line 59 prints value of parameter `url` without escaping or encoding it properly.
Line 59 prints value of parameter `url` without escaping or encoding it properly.


    ## Fix
## Fix

    Remove `<?php echo urlencode($url); ?>` from line 59. There is no need for this since value of `url` parameter is fetched from URL using JavaScript.
Remove `<?php echo urlencode($url); ?>` from line 59. There is no need for this since value of `url` parameter is fetched from URL using JavaScript.

    ```php
```php

    59:						url: "",
59:						url: "",

    ```
```


    ## Impact
## Impact

    An attacker can share a crafted URL with victim, which when clicked/visted by victim will allow an attacker to execute malicious JavaScript in victim's browser. If any logged in admin/user is targeted, it can be used to perform administrative tasks which can lead to Remote Code Execution.
An attacker can share a crafted URL with victim, which when clicked/visted by victim will allow an attacker to execute malicious JavaScript in victim's browser. If any logged in admin/user is targeted, it can be used to perform administrative tasks which can lead to Remote Code Execution.


    ## Proof of Concept
## Proof of Concept


    **Payload:** `xss://"-alert(document.domain)-"`
**Payload:** `xss://"-alert(document.domain)-"`

    **PoC:** `http://127.0.0.1/wp-content/plugins/embed-swagger/swagger-iframe.php?url=xss://"-alert(document.domain)-"`
**PoC:** `http://127.0.0.1/wp-content/plugins/embed-swagger/swagger-iframe.php?url=xss://"-alert(document.domain)-"`


    ![image](https://user-images.githubusercontent.com/24238512/150699193-2872cbc7-7604-44b8-a93c-59d708ee0201.png)
![image](https://user-images.githubusercontent.com/24238512/150699193-2872cbc7-7604-44b8-a93c-59d708ee0201.png)


    ![image](https://user-images.githubusercontent.com/24238512/150699217-491c452d-e09a-4998-8a6f-7e39565e467e.png)
![image](https://user-images.githubusercontent.com/24238512/150699217-491c452d-e09a-4998-8a6f-7e39565e467e.png)