[Precogs Alert] Cross-Site Scripting (XSS) detected (CWE-79, Risk: High)
Vulnerability Details
-
File Path:
assets/js/script.js - Vulnerability Type: Cross-Site Scripting (XSS)
- Risk Level: High
Explanation:
The code directly injects untrusted data from the JSON file (project.type, project.title, project.description, project.link) into the DOM using innerHTML. If an attacker can control the contents of config.json (for example, via a supply chain compromise, misconfigured hosting, or a vulnerable upload process), they could inject malicious HTML or JavaScript. This would execute in the context of the page, leading to a stored XSS vulnerability. Even if config.json is not directly user-controlled, any compromise of its integrity or upstream data source could result in XSS. The use of innerHTML with untrusted data is a well-known XSS vector.
attackScenario: An attacker manages to inject a payload such as <img src=x onerror=alert(1)> into the project.title field in config.json. When a user visits the page, the malicious code is executed in their browser, potentially stealing cookies, session tokens, or performing actions on behalf of the user.
potentialImpact: Confidentiality (theft of sensitive data), Integrity (modification of page content or actions), and Availability (potential for defacement or disruption).
Please review and address the issue accordingly.