Reflected Cross-Site Scripting (Non-self)

Overview of the Vulnerability

Reflected Cross-Site Scripting (XSS) is a type of injection attack where malicious JavaScript code is injected into a website. When a user visits the affected web page, the JavaScript code executes and its input is reflected in the user's browser. Reflected XSS can be found on this domain which allows an attacker to create a crafted URL which when opened by a user will execute arbitrary Javascript within that user's browser in the context of this domain.

When an attacker can control code that is executed within a user’s browser, they are able to carry out any actions that the user is able to perform, including accessing any of the user's data and modifying information within the user’s permissions. This can result in modification, deletion, or theft of data, including accessing or deleting files, or stealing session cookies which an attacker could use to hijack a user’s session.

Business Impact

Reflected XSS could lead to data theft through the attacker’s ability to manipulate data through their access to the application, and their ability to interact with other users, including performing other malicious attacks, which would appear to originate from a legitimate user. These malicious actions could also result in reputational damage for the business through the impact to customers trust.

Steps to Reproduce

1. Setup Jira Data Center and install the app.

1. Open http://your_jira/secure/views/bulkedit/BulkExportDetails.jspa?fromIssueNavigator=false&referer=javascript:alert(%22XSS!%22)

1. Click "Back to Issue" button.

1. An alert should pop up, confirming JavaScript is executed.

Proof of Concept (PoC)

Video is attached.

 Version 1.10.1
Cross-Site Scripting (XSS) > Reflected > Non-Self
Submission detailsTargethttps://marketplace.atlassian.com/apps/891368/xporter-export-issues-from-jira?hosting=datacenter&tab=overviewBug URL
Remediation  # Always treat all user input as untrusted data.

1. Never insert untrusted data except in allowed locations.
2. Always input or output-encode all data coming into or out of the application.
3. Always whitelist allowed characters and seldom use blacklisting of characters except in certain use cases.
4. Always use a well-known and security encoding API for input and output encoding such as the OWASP ESAPI.
5. Never try to write input and output encoders unless absolutely necessary. Chances are that someone has already written a good one.
6. Never use the DOM function innerHtml and instead use the functions innerText and textContent to prevent against DOM-based XSS.
7. As a best practice, consider using the HTTPOnly flag on cookies that are session tokens or sensitive tokens.
8. As a best practice, consider implementing Content Security Policy to protect against XSS and other injection type attacks.
9. As a best practice, consider using an auto-escaping templating system.
10. As a best practice, consider using the X-XSS-Protection response header.
    References  * https://www.owasp.org/index.php/Top_10-2017_A7-Cross-Site_Scripting_(XSS)

• https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)
• https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.md
• http://projects.webappsec.org/Cross-Site+Scripting
• https://www.cvedetails.com/vulnerability-list/opxss-1/xss.html
• https://cwe.mitre.org/data/definitions/79