Skip to content

Stored XSS Vulnerability in Dwsurvey Survey System #114

Description

@Veigar-L

Stored XSS Vulnerability in Dwsurvey Survey System
Official Website: https://www.diaowen.net/home
Official Demo Site: https://demo.diaowen.net/

Vulnerability Details

The Dwsurvey survey system is affected by a stored cross-site scripting (XSS) vulnerability.
Location 1: Survey Title

1.Create a new survey and set the "Survey Title" to the XSS payload: 
.

Image

2.Saved successfully.
The API for adding a new survey is:
https://demo.diaowen.net/api/dwsurvey/app/survey/add.do
The survey title field is surveyName.

Image

Code Analysis:

Image Image Image

It can be observed that surveyName is obtained directly from the frontend without any filtering.

Image

When accessing the admin panel and selecting Survey Management, the page triggers the following request:

https://demo.diaowen.net/api/dwsurvey/admin/survey/list.do?pageSize=10&current=1

Image

By reviewing the JavaScript that triggers this request, the subsequent processing logic can be located.

Image Image

The response from the backend API is obtained, and each survey record is inserted as a row in the table.

Image

The surveyName value of each record is extracted without escaping HTML tags, and is directly inserted as a DOM node for preview display.

Image Image

As a result, JavaScript is executed on the frontend.

A pop-up window appears, confirming the existence of a stored XSS vulnerability.

Image

The backend code at /api/dwsurvey/admin/survey/list.do also shows no escaping or filtering.

Other locations also exhibit the same issue and can trigger the vulnerability. Some example screenshots are as follows.

Image Image

Multiple functions, such as Design Survey and Preview Survey, share similar logic, so details are omitted here.

Location 2:

Image

When adding a survey question, the same problem exists. If you input the XSS payload:

Image Image

You need to intercept the request and modify the escaped < > characters in the surveyJsonText parameter.

Image Image

As shown in the API code above, the value is also taken directly from the frontend without any escaping or filtering.

Image

After saving successfully, viewing the preview again results in a pop-up window, demonstrating that the output is not sanitized, and the vulnerability persists.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions