Cross-site Scripting (XSS) Affecting statics-server package, versions *
Threat Intelligence
Snyk has a published code exploit for this vulnerability.
The probability is the direct output of the EPSS model, and conveys an overall sense of the threat of exploitation in the wild. The percentile measures the EPSS probability relative to all known EPSS scores. Note: This data is updated daily, relying on the latest available EPSS model version. Check out the EPSS documentation for more details.
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applicationsSnyk Learn
Learn about Cross-site Scripting (XSS) vulnerabilities in an interactive lesson.
Start learning- Snyk IDnpm:statics-server:20180714
- published23 Jul 2018
- disclosed14 Jul 2018
- creditbl4de
Introduced: 14 Jul 2018
CVE-2018-3771 (opens in a new tab)How to fix?
There is no fix version for statics-server.
Overview
Affected versions of statics-server are vulnerable to Cross-site Scripting (XSS) attacks.
It does not implement any HTML escaping when displays directory index in the browser. Variable v is used in <a href> element without escaping, which allows to embed HTML <iframe> tag with src attribute points to another HTML file in the directory. This file can contain malicious JavaScript code.
PoC by bl4de
if(fs.lstatSync(staticPath).isDirectory()){
var files=fs.readdirSync(staticPath);
var lis='';
files.forEach((v,i)=>{
if(fs.lstatSync(path.resolve(staticPath,v)).isDirectory()){
lis+=`<li><a href="${req.url}${v}/">${v}/</a></li>`;
}else {
lis+=`<li><a href="${req.url}${v}">${v}</a></li>`
}
});
(...)
Details
Cross-Site Scripting (XSS) attacks occur when an attacker tricks a user’s browser to execute malicious JavaScript code in the context of a victim’s domain. Such scripts can steal the user’s session cookies for the domain, scrape or modify its content, and perform or modify actions on the user’s behalf, actions typically blocked by the browser’s Same Origin Policy.
These attacks are possible by escaping the context of the web application and injecting malicious scripts in an otherwise trusted website. These scripts can introduce additional attributes (say, a "new" option in a dropdown list or a new link to a malicious site) and can potentially execute code on the clients side, unbeknown to the victim. This occurs when characters like < > " ' are not escaped properly.
There are a few types of XSS:
- Persistent XSS is an attack in which the malicious code persists into the web app’s database.
- Reflected XSS is an which the website echoes back a portion of the request. The attacker needs to trick the user into clicking a malicious link (for instance through a phishing email or malicious JS on another page), which triggers the XSS attack.
- DOM-based XSS is an that occurs purely in the browser when client-side JavaScript echoes back a portion of the URL onto the page. DOM-Based XSS is notoriously hard to detect, as the server never gets a chance to see the attack taking place.