Conversation
zinduolis
temporarily deployed
to
Integrate Pull Request
GitHub Actions
Inactive
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
zinduolis
temporarily deployed
to
Integrate Pull Request
GitHub Actions
Inactive
Collaborator
|
If this is a valid issue it should also be patched in core/main/handlers/browserdetails.rb. Browser details should not be used if they are invalid. |
zinduolis
temporarily deployed
to
Integrate Pull Request
GitHub Actions
Inactive
zinduolis
temporarily deployed
to
Integrate Pull Request
GitHub Actions
Inactive
Contributor
Author
Cheers for the feedback, @bcoles ! I've updated the code to sort out that stored XSS issue you flagged. I've also given it a good test locally by trying to inject scripts into the previously unsanitised fields, and it all looks fully sorted now. Assuming the tests pass, are we good to merge this in? |
zinduolis
temporarily deployed
to
Integrate Pull Request
GitHub Actions
Inactive
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Pull Request
Thanks for submitting a PR! Please fill in this template where appropriate:
Category
Bug
Feature/Issue Description
Q: Please give a brief summary of your feature/fix
A: Patches a Stored XSS vulnerability in the Admin UI's "Hooked Browsers" tooltip and sanitizes all incoming browser details before persistence.
Q: Give a technical rundown of what you have changed (if applicable)
A:
BeEF::Filters.has_valid_browser_details_chars?(core/filters/base.rb) where an inverted regex allowed invalid characters to pass.core/filters/browser.rb(is_valid_osname?,is_valid_browsername?, etc.) to explicitly reject strings containing HTML/XSS payloads by calling the correctedhas_valid_browser_details_chars?function instead of just checking for non-printable characters.core/main/handlers/browserdetails.rbto assign safe'Unknown'fallback values ifBeEF::Filtersvalidation fails, preventing unvalidated local variables from flowing into SQLite database instances and Terminal Logger output.browserdetails.rb(including proxy headersVIA/X-Forwarded-For) before persistence.zombiesTreeList.jsto useExt.util.Format.htmlEncode()for tooltip fields as a defense-in-depth measure.Test Cases
Q: Describe your test cases, what you have covered and if there are any use cases that still need addressing.
A: Reproduced the XSS using a custom Python PoC script. Verified the payloads are discarded at the controller level (
browserdetails.rb) and no longer persist into the SQLite database.Wiki Page
If you are adding a new feature that is not easily understood without context, please draft a section to be added to the Wiki below.
N/A