Executive Summary

This vulnerability exists in Dalfox, an open-source XSS scanner, when run in REST API server mode prior to version 2.13.0. The issue arises because the custom-payload-file field is deserialized directly from an attacker’s request without validation and passed to a function that reads lines from any file accessible to the Dalfox process. As a result, an unauthenticated attacker can cause Dalfox to read and exfiltrate arbitrary files from the host system by embedding their contents into outbound HTTP requests.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability allows an unauthenticated network attacker to read and exfiltrate arbitrary files from the Dalfox host system. This can lead to the exposure of sensitive information stored on the host, potentially compromising confidentiality. Since the attacker can access files line-by-line through scan traffic, it poses a significant risk of data leakage.

Useful 0 Not Useful 0

Mitigation Strategies

To mitigate this vulnerability, upgrade Dalfox to version 2.13.0 or later, where the issue has been fixed.

Useful 0 Not Useful 0

Compliance Impact

This vulnerability allows unauthenticated attackers to read and exfiltrate arbitrary files from the Dalfox host system, leading to a complete confidentiality compromise of sensitive files accessible to the Dalfox process.

Such unauthorized data exposure can result in violations of data protection regulations and standards like GDPR and HIPAA, which mandate strict controls over the confidentiality and integrity of sensitive personal and health information.

Therefore, if Dalfox is used in environments subject to these regulations, exploitation of this vulnerability could lead to non-compliance due to unauthorized disclosure of protected data.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by monitoring for unusual outbound HTTP requests from the Dalfox REST API server that contain payloads derived from local file contents. Since the exploit involves reading arbitrary files line-by-line and sending them as XSS payloads to an attacker-controlled target, network traffic analysis focusing on unexpected data exfiltration patterns is useful.

To detect exploitation attempts, you can look for HTTP requests to the Dalfox REST API server that include the `custom-payload-file` field in the JSON body with suspicious file paths such as `/etc/passwd` or other sensitive files.

Suggested commands to detect potential exploitation attempts include:

• Using network traffic capture tools like tcpdump or Wireshark to filter HTTP POST requests to the Dalfox REST API server and inspect JSON payloads for the `custom-payload-file` field.
• Example tcpdump command to capture HTTP POST requests on port 8080 (replace with actual port): `tcpdump -A -s 0 'tcp dst port 8080 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)'`
• Using grep or jq on server logs to search for JSON requests containing `custom-payload-file` with suspicious file paths: `grep -i 'custom-payload-file' /path/to/dalfox/logs | grep -E '/etc/passwd|id_rsa|env'`
• Monitoring Dalfox server logs for unauthenticated API requests that include the `custom-payload-file` parameter.

Useful 0 Not Useful 0