Skip to content

[Precogs Alert] Cross-Site Scripting (XSS) detected (CWE-79, Risk: High)

Vulnerability Details

  • File Path: assets/js/script.js
  • Vulnerability Type: Cross-Site Scripting (XSS)
  • Risk Level: High

Explanation:
The code directly injects values from the JSON file (project.type, project.title, project.description, project.link) into the DOM using innerHTML without any sanitization or escaping. If an attacker can control the contents of config.json (e.g., via a supply chain attack, misconfigured server, or compromised deployment), they could inject malicious HTML or JavaScript. This would execute in the context of the user's browser, leading to a stored XSS vulnerability. Even if the JSON is not user-controlled, defense-in-depth requires sanitizing all untrusted data before injecting it into the DOM.

attackScenario: An attacker manages to inject the following payload into the project.title field in config.json: <img src=x onerror=alert(1)>. When a user loads the page, this code is executed, demonstrating XSS. More sophisticated payloads could steal cookies, perform actions as the user, or deface the site.

potentialImpact: An attacker could execute arbitrary JavaScript in the context of the site, leading to session hijacking, credential theft, defacement, or further attacks against users (Confidentiality, Integrity, and Availability all at risk).

Please investigate and resolve this issue to maintain code security and quality.