Potential vulnerability in JSON response returning base 64 encoded image data, with the response being vulnerable to MIME sniffing

A JSON response in the API of a webapp is returning the base64 of a user-uploaded image, and there’s no X-Content-Type-Options Header to prevent MIME sniffing.

Could this be a potential vulnerability such as an XSS for the webapp by using steganography to edit the image with a payload, uploading it, and then MIME sniffing the JSON response? (or by any other means?)

ASP.Net XSS – How does this vulnerability work

I have been tasked with fixing a XSS issue in an ASP.Net application, but I have never seen this kind of attack before so first it would be great if I could understand how this is working and then I need some help because I haven’t been able to fix it.

The attack goes like so:

https://example.com/AnyPageInTheApplication.aspx/(A('onerror='alert%601%60'testabcd))/ 

When I look at the network tab in Chrome’s dev tools I see that the request has been hijacked by the last section of the URL and the alert shows up, but I do not know how this is working. An explanation would be greatly appreciated.

To fix it I first looked at the application web.config file and I saw that the validateRequest switch is disabled so I changed it to true and the vulnerability is still there.

The application is really large and according to some documentation on it, apparently they disabled the validateRequest switch because it is supposed to be handled on the server by some backend code, obviously not working, and I am still to find out what are the reasons for this application to be designed this way (I’m very new to the company).

This issue begs a few questions:

  • Why would enabling the validateRequest switch does not fix the issue?
  • Where else could I look for the potential problem?
  • Is there an alternative to fix this vulnerability other than validateRequest?

How can wkhtmltopdf be used without introducing a security vulnerability?

Background

Per the project website, wkhtmltopdf is a "command line tool to render HTML into PDF using the Qt WebKit rendering engine. It runs entirely "headless" and does not require a display or display service."

The website also states that "Qt 4 (which wkhtmltopdf uses) hasn’t been supported since 2015, the WebKit in it hasn’t been updated since 2012."

And finally, it makes the recommendation "Do not use wkhtmltopdf with any untrusted HTML – be sure to sanitize any user-supplied HTML/JS, otherwise it can lead to complete takeover of the server it is running on!"


Context

My intention is to provide wkhtmltopdf as part of an application to be installed on a Windows computer. This may or may not be relevant to the question.


Qualifiers / Additional Information

  • A flag is provided by wkhtmltopdf to disable JavaScript (–disable-javascript). This question assumes that this flag functions correctly and thus will count all <script> tags as benign. They are of no concern.
  • This question is not related to the invocation of wkhtmltopdf – the source HTML will be provided via a file (not the CLI / STDIN) and the actual command to run wkhtmltopdf has no chance of being vulnerable.
  • Specifically, this question relates to "untrusted HTML" and "sanitize any user-supplied HTML/JS".
  • Any malicious user that is able to send "untrusted" HTML to this application will not receive the resultant PDF back. That PDF will only temporarily exist for the purpose of printing and then be immediately deleted.
  • Even someone with 100% working knowledge of all of the wkhtmltopdf/webkit/qt source code cannot concretely state that they have zero vulnerabilities or how to safeguard against unknown vulnerabilities. This question is not seeking guarantees, just an understanding of the known approaches to compromising this or similar software.

Questions

What is the goal of sanitization in this context? Is the goal to guard against unexpected external resources? (e.g. <iframe>, <img>, <link> tags). Or are there entirely different classes of vulnerabilities that we can’t even safely enumerate? For instance, IE6 could be crashed with a simple line of HTML/CSS… could some buffer overflow exist that causes this old version of WebKit to be vulnerable to code injection?

What method of sanitizing should be employed? Should we whitelist HTML tags/attributes and CSS properties/values? Should we remove all references to external URI protocols (http, https, ftp, etc.)?

Does rendering of images in general provide an attack surface? Perhaps the document contains an inline/data-uri image whose contents are somehow malicious but this cannot reasonably be detected by an application whose scope is to simply trade HTML for a rendered PDF. Do images need to be disabled entirely to safely use wkhtmltopdf?

What is the current state of the art vulnerability scanner? [closed]

I want to use my sparetime to fiddle around with Metasploitable 2 a little so I did a fresh installation of a Kali VM.

What confuses me is that there seems to be no vulnerability scanner on board anymore? If I remember correctly a few years ago Kali where shipped with OpenVas, NeXpose and Nessus.

I did a quick research in what tool is the current state of the art but only found very old and outdated informations. As far as I see Nexpose is now commercial whitout a community version?

What is the current state of the art vulnerability scanner and why isnt it shipped in Kali anymore?

Chrome Vulnerabilities are detected in vulnerability scan even after upgraded with latest versions

Had few chrome vulnerabilities [CVE-2020-6420] detected by BI(Retina). Upgraded the affected machines to chrome version 84.0.4147.89. After re-scan still the same vulnerabilities are detected.

Anyone experienced it before ? please help to resolve

File Upload Vulnerability SVG

I am currently doing a bug bounty program and was testing the company’s file upload functionality. After meddling with the functionality for a while, I was able to change the extension of the uploaded file to ‘.svg’ using burpsuite. I have read tons of article saying that .svg files is equal to XSS. In my case I was not able to fully upload svg file since the server is checking the content of the file. I have change the ‘Content-Type’ to image/svg and the file is uploaded, but when I change the content of the file with XML Tags, the server denied my upload. I found out that in order for the file to be uploaded successful, the beginning of the content type should be ‘…JFIF’ which is a metadata to describe that the content is JPEG/PNG and is interchangable. I have tried appending the SVG XML tag after the metadata and has successfully uploaded it to the server, but when the image is opened, a square image appeared and my XML tags are not being executed.

Is there any way I could bypass this image content to be able to execute XML? Is there any metada for SVG perhaps?

Is this a remote code execution vulnerability?

I am planning to evaluate and install a publicly available software.

https://github.com/opensemanticsearch/open-semantic-search

While reviewing the issues on github, there is an issue open which indicates possible remote code execution for Solr with screenshots.

https://github.com/opensemanticsearch/open-semantic-search/issues/285

I have no idea about security vulnerabilities and hoping this is the correct forum to ask experts. Do you think this is a security vulnerability and one should avoid using the software until fixed?

Is there a security vulnerability in setting a public DNS entry to a private IP Address?

I recently set up a wireguard server-network configuration with a home server and client devices. I have one main domain that I hope to route everything through via subdomains (in this example, abc.domain.com, def.domain.com, etc.). I hope to use nginx to do this routing.

Is is possible/secure/recommended to register a private IP address (specifically of my home server within the wireguard network, i.e. 10.27.0.1/24) in a public DNS (e.g. google DNS), so that if you run ping abc.domain.com you would get back 10.27.0.1? I found a few questions that answer a question that are close to this one (this one covers private IP for public DNS for MX records, this one talks about having A records without much mention of VPN), and the overall picture I get from these links is that it is possible, but not technically perfect since a hacker gets a small piece of info about your local network (wireguard network is 10.27.0.1/24…isn’t this relatively a moot point given it’s behind wireguard, assuming I have all of the usual safety checks in place (no remote ssh (root or otherwise) unless on wireguard network, fail2ban, no password authentication for ssh, etc.)?

This IP (10.27.0.1) would be only accessible through the wireguard network, so I don’t think it would expose the services to the internet. I want to do this so that I don’t have to setup local DNS entries on each device, as I don’t believe this is possible on a phone, and it would be ideal to make one change [i.e. set the DNS entry to 10.27.0.1] and then have each device just running a simple DNS query for abc.domain.com. This would also have the added benefit of only opening the wireguard port, and keeping the firewall closed for 80 + 443.

A corollary of this question is how best do you manage certs/ssl if this is possible? I managed to get certbot working by temporarily exposing port 80 on my server to acquire the certs for abc.domain.com, and then closing 80 to only access the webserver via wireguard through the wireguard port + nginx. I can already see one downside to this method – having to manually open port 80 everytime certbot wants to get new certificates (I believe by default this is every 60 days). I understand that wireguard is approximately as secure as SSL/HTTPS, but for my personal OCD I would prefer to have the connection secured through https on top of wireguard. I’m somewhat iffy on the details of managing certs for wildcards, but could I do it with my main domain.com (that is pointing to a internet facing site) and have it propagate to the subdomains, allowing it to be renewed through that? (this question seems to indicate so)

My goal long term is to expand this into a network that includes family/close friends as a type of ‘intranet’ for sharing photos and using other self-hosted services.

My nginx config file (abc.conf) looks something like this:

server {    server_name abc.domain.com;   # DNS Entry of abc.domain.com is 10.27.0.1, which is the local IP for the wireguard network   # SHOULD NOT be accessible outside of wireguard network    location / {       proxy_pass http://127.0.0.1:8000; #Redirects to local service on port 8000   }       listen [::]:443 ssl; # managed by Certbot     listen 443 ssl; # managed by Certbot      // SSL Certs provided by certbot [removed manually]     // .     // .     // .  }