Am I under attack? Blind XSS

hibiskus

Active member
I have 5 errors with MySQL query error [1615]: Prepared statement needs to be re-prepared and in one of them i found this URL in a string value: http://hitjsekylxorn.bxss.me/

The TLD bxss.me forwards to acunetix.com which is service to detect out-of-band vulnerabilities.

What I am most afraid is that this a short form of blind xss:

Overview of Blind Cross-site Scripting​

Blind XSS vulnerabilities are a variant of persistent XSS vulnerabilities. They occur when the attacker input is saved by the web server and executed as a malicious script in another part of the application or in another application. For example, an attacker injects a malicious payload into a contact/feedback page and when the administrator of the application is reviewing the feedback entries the attacker’s payload will be loaded. The attacker input can be executed in a completely different application (for example an internal application where the administrator reviews the access logs or the application exceptions).

Example of web applications and web pages where blind XSS attacks can occur:

  • Contact/Feedback pages
  • Log viewers
  • Exception handlers
  • Chat applications / forums
  • Customer ticket applications
  • Web Application Firewalls
  • Any application that requires user moderation
These types of vulnerabilities are much harder to detect compared to other reflected XSS vulnerabilities where the input is reflected immediately. In the case of blind XSS, the attacker’s input can be saved by the server and only executed after a long period of time when the administrator visits the vulnerable dashboard page. It can take hours, days, or even weeks until the payload is executed. Therefore, this type of vulnerabilities in web applications cannot be tested as other types of XSS vulnerabilities and they pose a challenge for web security (web application security), penetration testing, and security testing in general. Source: https://www.acunetix.com/websitesecurity/detecting-blind-xss-vulnerabilities/

Here the error message:
SQL:
XF\Db\Exception: MySQL query error [1615]: Prepared statement needs to be re-prepared src/XF/Db/AbstractStatement.php:228
Generiert von: Unbekanntes Konto 2 Oktober 2020 um 05:29
Stack-Trace
            -- XFDB=noForceAllWrite
            INSERT INTO xf_session
                (session_id, session_data, expiry_date)
            VALUES
                (?, ?, ?)
            ON DUPLICATE KEY UPDATE
                session_data = VALUES(session_data),
                expiry_date = VALUES(expiry_date)
        
------------

#0 src/XF/Db/Mysqli/Statement.php(196): XF\Db\AbstractStatement->getException('MySQL query err...', 1615, 'HY000')
#1 src/XF/Db/Mysqli/Statement.php(77): XF\Db\Mysqli\Statement->getException('MySQL query err...', 1615, 'HY000')
#2 src/XF/Db/AbstractAdapter.php(94): XF\Db\Mysqli\Statement->execute()
#3 src/XF/Session/DbStorage.php(57): XF\Db\AbstractAdapter->query('
            -- XFDB=noF...', Array)
#4 src/XF/Session/Session.php(215): XF\Session\DbStorage->writeSession('Lot5RlEbkYTXTUH...', Array, 14400, true)
#5 src/XF/Pub/App.php(447): XF\Session\Session->save()
#6 src/XF/App.php(2194): XF\Pub\App->complete(Object(XF\Http\Response))
#7 src/XF.php(391): XF\App->run()
#8 index.php(20): XF::runApp('XF\\Pub\\App')
#9 {main}

Status der Anfrage
array(4) {
  ["url"] => string(342) "/chat/?disable=1&editor_on_top=http://hitjsekylxorn.bxss.me/&hide_bot=1&hide_chatters=1&hide_status=1&image_as_link=1&inverse=1&maximized=1&mention_alert=1&notification[bot]=1&notification[mention]=1&notification[normal]=1&notification[private]=1&&show_ignored=1&sound[bot]=1&sound[mention]=1&sound[normal]=1&sound[private]=1&sound[whisper]=1"
  ["referrer"] => bool(false)
  ["_GET"] => array(12) {
    ["disable"] => string(1) "1"
    ["editor_on_top"] => string(29) "http://hitjsekylxorn.bxss.me/"
    ["hide_bot"] => string(1) "1"
    ["hide_chatters"] => string(1) "1"
    ["hide_status"] => string(1) "1"
    ["image_as_link"] => string(1) "1"
    ["inverse"] => string(1) "1"
    ["maximized"] => string(1) "1"
    ["mention_alert"] => string(1) "1"
    ["notification"] => array(4) {
      ["bot"] => string(1) "1"
      ["mention"] => string(1) "1"
      ["normal"] => string(1) "1"
      ["private"] => string(1) "1"
    }
    ["show_ignored"] => string(1) "1"
    ["sound"] => array(5) {
      ["bot"] => string(1) "1"
      ["mention"] => string(1) "1"
      ["normal"] => string(1) "1"
      ["private"] => string(1) "1"
      ["whisper"] => string(1) "1"
    }
  }
  ["_POST"] => array(0) {
  }
}
 
This particular request url was part of your Siropu chat addon. I reviewed the code and "editor_on_top" in specific is only ever used as a boolean value.

It looks like someone was trying to scan your website for XSS vulnerabilities. It's likely their program was inserting that bxss.me url in every spot it could find one by one until it found a place that caused XSS. "editor_on_top" doesn't look like it can cause XSS.
 
Back
Top Bottom