Reflected Cross-Site Scripting vulnerability

[frederikgrue]

The 404handler is vulnerable to reflected Cross-Site Scripting.

An attacker can leverage this vulnerability by distributing malicious links to application users. If a logged-in user follows the malicious link, the attacker can, for example, hijack the victim's session, perform actions in the application using the victim's identity, modify content visible to the victim, or even compromise the victim's workstation using exploits against the victim's browser or plugins.

The attacker can craft malicious links, tampering the ‘searchWord’, ‘newUrl’ and ‘oldUrl’ parameters. Once clicked, the link will trigger the execution of an attacker’s provided JavaScript payload:

“searchWord” payload:
http://episerver_site_name/EPiServer/BVNetwork.404Handler/NotFoundRedirect/Delete?preferredNamespace=BVNetwork.NotFound.Controllers&gadgetId=b81a21f5-1d99-4565-a229-bf6253c9bd84&oldUrl=test&pageNumber=1&searchWord=s6h5d%3cscript%3ealert(1)%3c%2fscript%3ey6gds&pageSize=30&dojo.preventCache=1583144461573

“oldUrl” payload:
http://episerver_site_name/EPiServer/BVNetwork.404Handler/NotFoundRedirect/Save? oldUrl=test%3cscript%3ealert(2)%3c%2fscript%3e&newUrl=asdbo03y%3cscript%3ealert(1)%3c%2fscript%3eaafnxrvud14&gadgetId=b81a21f5-1d99-4565-a229-bf6253c9bd84

The following recommendations should be applied:
• Input validation
• Output filtering