Enhancing Cybersecurity: Lessons from a Critical XSS Vulnerability in DMRC’s Website
My Youtube Channel : https://www.youtube.com/channel/UCCYzvUK27Yte-sxJu-lM_iw
Introduction
In the ever-evolving landscape of cybersecurity, the identification and mitigation of vulnerabilities are paramount to protecting sensitive data and ensuring the integrity of online platforms. A recent case involving the Delhi Metro Rail Corporation (DMRC) website highlights the importance of rigorous security measures. This article examines a stored cross-site scripting (XSS) vulnerability reported by security researcher Abhishek Aswal, discussing the implications and recommended solutions to enhance web application security.
Description of the XSS Vulnerability
On May 10th, 2024, a critical stored XSS vulnerability was discovered in the user profile section of the DMRC intranet website(https://intranet.dmrc.org/project/recordlist.php). The vulnerability allows an attacker to inject malicious JavaScript code into the user profile fields. This code is stored in the database and executed whenever the profile page is viewed by other users. The specific parameter identified as vulnerable was the “filter” parameter.
Steps to Reproduce
- Login with Admin Privileges: The vulnerability exploitation begins with logging into the account using default admin credentials (admin/admin). This weak password security provided full administrator access.
- Injecting Malicious Code: The attacker enters a malicious payload into the vulnerable “filter” parameter. An example payload provided was:
<iframe src="javascript:alert(document.cookie);"></iframe>
Execution of Payload: Once injected, the payload is executed when the profile page is viewed, leading to the theft of sensitive information or other malicious actions.
Impact
The impact of this vulnerability is significant and includes:
- Theft of Sensitive Data: Attackers can steal cookies, session tokens, and personally identifiable information.
- Phishing and Redirection: Users can be redirected to phishing websites or other malicious URLs.
- Website Defacement: Unauthorized content can be injected, leading to potential defacement of the website.
- Further Exploitation: The vulnerability can be leveraged to spread malware or launch additional attacks on other users.
Recommendations for Mitigation
To protect against such vulnerabilities, the following measures are recommended:
1. Input Validation
Ensure that all user inputs are validated to prevent the injection of malicious scripts or HTML tags. This can be achieved by:
- Implementing strict input validation rules.
- Using regular expressions to filter out potentially harmful content.
2. Output Encoding
Apply output encoding to escape any HTML entities before rendering user-generated content on the website. This ensures that any injected code is rendered harmless by the browser.
3. Content Security Policy (CSP)
Implementing CSP headers can significantly mitigate the impact of XSS attacks. CSP restricts the sources from which resources such as scripts, stylesheets, and images can be loaded, thereby reducing the risk of malicious code execution.
Conclusion
The discovery of this critical stored XSS vulnerability in the DMRC website underscores the importance of robust cybersecurity practices. By implementing proper input validation, output encoding, and CSP headers, organizations can protect their web applications from such vulnerabilities and safeguard user data. Continuous monitoring and regular security assessments are essential to maintaining the security and integrity of online platforms.
For more details on the vulnerability and the proof of concept, you can watch the POC video here.
About the Researcher
Abhishek Aswal, also known as hackerhaltlive, is a cybersecurity enthusiast dedicated to discovering and reporting vulnerabilities to enhance the security of web applications. He can be reached at hackerhalt02@gmail.com.
Thank you for reading. Stay safe and secure!
For more information, you can contact Abhishek Aswal at +91 9818664157 or via email at hackerhalt02@gmail.com.