mitigating XSS attack

[shlomi-noach]

The web form was using texts provided as query params. This is now mitigated by escaping values to disable javascript execution.

cc @Oneiroi

[Oneiroi]

XSS Vulnerability detail

Tested using FireFox 54.0 noted that the search functionality was vulnerable to XSS

Example is the following link: https://your.domain.tld/orchestrator/web/search?s=%22%3E%3Cscript/%00%00v%00%00%3Ealert(document.domain)%3C/script%3E (replacing your.domain.tld with your valid FQDN for orchestrator < 2.1.5)

The issue occurs as the search string is written into the HTML which provides the text input for the search.

The above attack string forces a html breakout resulting in javascript code execution within the victims browser, please see the screenshot below for a proof.

The URL could be manipulated to run any arbitrary javascript within the victim browser e.g. to steal cookie information, session information / tokens etc.

I can confirm that version 2.1.5 is not susceptible to this XSS attack

[shlomi-noach]

I can reserve more comments for you. Since I work at GitHub I get up to 2,000 comments per month I can reserve for friends

[grypyrg]

Can I get one too? I want it to appear before @Oneiroi's. I'm willing to pay for it!

[choadrocker]

I will pay more than Kenny

[grypyrg]

$100!

[choadrocker]

ok, he can have it

[shlomi-noach]

That's it. No more free comments!