Sahi Pro web interface is vulnerable to a Stored XSS . Exploiting this bug needs a prior knowledge of the end to end flow and basic scripting of sahi pro .
Sahi has some interesting features such as web application interface which aggregates all the reports for the sahi script execution tasks. It was found that web module is vulnerable to stored cross site scripting.
Here is the Proof of concept for the same:
fig 1 : sahi script containing XSS payload
Here we have created a simple sahi script which uses a testcase API .
var $tc1 = _testcase(“TC-1″,”<script>alert(document.cookie)</script>”).start();
_log(“testing stored XSS injection”);
In the testcase API , as per the documentation provided accepts two parameters ,first one being testcase ID and second one test case description . Both values are reflected back in the web reports which triggers the XSS vulnerability . save the file as “filename.sah” and with the help of sahi controller execute the script.
Fig 2 : execute the script in the controller
Now navigate to the executed report in the web report console . XSS is triggered .
Fig 3 ,4 : Stored XSS triggers .
This can be utilized by a malicious limited user to steal password protected (admin) web reports credentials.
Disclosure timeline :
Reported on : 8 / December / 2018
Affected versions : all versions of sahi pro ( <= 8.x ) (web application automation )
vendor website : https://sahipro.com/