Skip to content

Fix/stored xss#3362

Open
RachHavoc wants to merge 5 commits into
apache:masterfrom
RachHavoc:fix/stored-xss
Open

Fix/stored xss#3362
RachHavoc wants to merge 5 commits into
apache:masterfrom
RachHavoc:fix/stored-xss

Conversation

@RachHavoc

@RachHavoc RachHavoc commented Apr 10, 2026

Copy link
Copy Markdown
Contributor

Description

Adds server-side input validation for the technique_name field in AbilityApiManager._validate_ability_data.

Previously, technique_name was accepted as an unconstrained string while id and tactic
were both validated against an alphanumeric allowlist. This inconsistency allowed HTML/script
characters to be stored via POST /api/v2/abilities and PUT /api/v2/abilities/{id},
contributing to a stored XSS vulnerability in the Debrief plugin's technique graph.

A regex allowlist (^[a-zA-Z0-9\s\-_()/.,&:]+$) is applied to technique_name on write,
rejecting values containing < > " ' ; while accepting all legitimate ATT&CK technique names.

Related to: fix/technique-name-xss in mitre/debrief.

Type of change

  • Bug fix (non-breaking change which fixes an issue)

How Has This Been Tested?

  • Confirmed POST /api/v2/abilities with technique_name containing HTML (e.g.
    "><img src=x onerror=alert(1)>) now returns HTTP 400.
  • Verified the following legitimate ATT&CK technique names are accepted without issue:
    • Command and Scripting Interpreter
    • OS Credential Dumping: /etc/passwd and /etc/shadow
    • Exploitation for Privilege Escalation
    • Man-in-the-Middle
  • Confirmed existing abilities with valid technique names load and update correctly.

Checklist:

  • My code follows the style guidelines of this project
  • I have performed a self-review of my own code
  • I have made corresponding changes to the documentation
  • I have added tests that prove my fix is effective or that my feature works
deacon-mp and others added 3 commits April 3, 2026 17:38
…ismatch

- Add data/cookie_storage to DATA_FILE_GLOBS so --fresh removes it
- Catch SystemExit in auth_svc when file_svc._read() fails to decrypt
  stale cookie_storage; regenerate session key instead of crashing
- Add tests: DATA_FILE_GLOBS membership + stale cookie recovery

Fixes crash when switching between --insecure and secure mode after
PR apache#3264 introduced persistent session cookies.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@azure-pipelines

Copy link
Copy Markdown
Azure Pipelines:
1 pipeline(s) were filtered out due to trigger conditions.
@azure-pipelines

Copy link
Copy Markdown
Azure Pipelines:
1 pipeline(s) were filtered out due to trigger conditions.
@azure-pipelines

Copy link
Copy Markdown
Azure Pipelines:
1 pipeline(s) were filtered out due to trigger conditions.
@sonarqubecloud

Copy link
Copy Markdown

Quality Gate Failed Quality Gate failed

Failed conditions
0.0% Coverage on New Code (required ≥ 80%)

See analysis details on SonarQube Cloud

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

2 participants