Loading HuntDB...
Hunt
Vulnerability Intelligence by wss.sh
Home Daily Briefings High Impact CVEs Recent Exploits KEV Catalog GitHub Advisories Latest Updates Security News
Sign In Sign Up

Stored XSS in Elastic App Search

High
E
Elastic
Submitted None
Actions:
View on HackerOne
Reported by iamnoooob

Vulnerability Details

Technical details and impact analysis

Cross-site Scripting (XSS) - Stored
**Summary:** There exists a stored XSS via reference_ui in "URL" Parameter in the latest Elastic App Search v7.6.2 (Tested both on cloud and local instance) **Description:** Stored attacks are those where the injected script is permanently stored on the target servers, such as in a database, in a message forum, visitor log, comment field, etc. The victim then retrieves the malicious script from the server when it requests the stored information. Stored XSS is also sometimes referred to as Persistent or Type-I XSS. ## Steps To Reproduce: 1. Go To https://cloud.elastic.co/ and login 2. Create a Deployment by visiting https://cloud.elastic.co/deployments/create 3. Fill & Select all necessary details but under **"Optimize your deployment"** section select **"App Search"** & Click Create Deployment 4. Now go to your deployment and click "launch" on your App Search instance and you would be taken to something like `https://069c551087be451bb8d1aecb3cf64341.app-search.us-east-1.aws.found.io/login` 5. Now Login with the provided credentials and Click **"Create an Engine"** 6. On the next screen, Click **"Paste JSON"** and put this ``` { "url":"blocked://test%0aalert(document.domain)" } ``` 7. Next, Go to "Reference UI" tab on the menu at the left and under "Title field (optional)" field select "url" and also under "URL field (optional)" field select "url" and finally click "Generate Preview" and you would be take to something like `https://069c551087be451bb8d1aecb3cf64341.app-search.us-east-1.aws.found.io/as/engines/test/reference_application/preview?titleField=url&urlField=url` {F783219} 8. Press **"CTRL + CLICK"** or **middle mouse button** on the Title and XSS will be executed. {F783213} 9. The Generated link `https://069c551087be451bb8d1aecb3cf64341.app-search.us-east-1.aws.found.io/as/engines/test/reference_application/preview?titleField=url&urlField=url` can directly be shared with High privileged users etc. ## Impact A low privileged user with only access to create/index documents can create a document with such evil JSON and can send a link of Reference UI to Admin/Owner which when clicked would lead to Stored XSS

Report Details

Additional information and metadata

State

Closed

Substate

Resolved

Bounty

$2000.00

Submitted

Weakness

Cross-site Scripting (XSS) - Stored