From 3a70d69f29ca14bf08c496ecef5b2a499795ed41 Mon Sep 17 00:00:00 2001 From: cubernetes Date: Fri, 14 Apr 2023 07:46:33 +0200 Subject: [PATCH] No escape for easy xss --- webserver/database/logs/blue.json | 2 +- webserver/database/logs/red.json | 2 +- webserver/database/temp/sim_start.txt | 2 +- webserver/main.py | 2 -- webserver/templates/main/dashboard_main1.html | 3 +-- 5 files changed, 4 insertions(+), 7 deletions(-) diff --git a/webserver/database/logs/blue.json b/webserver/database/logs/blue.json index d69a2e6..95836ad 100644 --- a/webserver/database/logs/blue.json +++ b/webserver/database/logs/blue.json @@ -1 +1 @@ -[{"data": "archtosu@172.23.7.203: echo hi\n", "timestamp": "1681450590"}, {"data": "archtosu@172.23.7.203: ls\n", "timestamp": "1681450591"}, {"data": "archtosu@172.23.7.203: x\n", "timestamp": "1681450591"}, {"data": "archtosu@172.23.7.203: ls\n", "timestamp": "1681450593"}] \ No newline at end of file +[{"data": "archtosu@172.23.7.203: ./auto.sh", "timestamp": "1681451149"}, {"data": "Snort: Intrusion Detected!", "timestamp": "1681451149"}, {"data": "archtosu@172.23.7.203: mv auto.sh blueteam1.sh", "timestamp": "1681451169"}, {"data": "archtosu@172.23.7.203: git s", "timestamp": "1681451171"}, {"data": "archtosu@172.23.7.203: git status", "timestamp": "1681451173"}] \ No newline at end of file diff --git a/webserver/database/logs/red.json b/webserver/database/logs/red.json index 4364302..47f38c1 100644 --- a/webserver/database/logs/red.json +++ b/webserver/database/logs/red.json @@ -1 +1 @@ -[{"data": "141.89.221.182: start of attack", "timestamp": "1681450591"}, {"data": "141.89.221.182: command 0: ATTACK", "timestamp": "1681450591"}, {"data": "141.89.221.182: command 1: ATTACK", "timestamp": "1681450592"}, {"data": "141.89.221.182: command 2: ATTACK", "timestamp": "1681450592"}, {"data": "141.89.221.182: command 3: ATTACK", "timestamp": "1681450592"}, {"data": "141.89.221.182: command 4: ATTACK", "timestamp": "1681450592"}, {"data": "141.89.221.182: command 5: ATTACK", "timestamp": "1681450592"}, {"data": "141.89.221.182: command 6: ATTACK", "timestamp": "1681450592"}, {"data": "141.89.221.182: command 7: ATTACK", "timestamp": "1681450592"}, {"data": "141.89.221.182: command 8: ATTACK", "timestamp": "1681450592"}, {"data": "141.89.221.182: command 9: ATTACK", "timestamp": "1681450592"}, {"data": "141.89.221.182: command 10: ATTACK", "timestamp": "1681450593"}] \ No newline at end of file +[{"data": "141.89.221.182: Start of post-exploitation", "timestamp": "1681451149"}] \ No newline at end of file diff --git a/webserver/database/temp/sim_start.txt b/webserver/database/temp/sim_start.txt index 956e1f1..a0f9269 100644 --- a/webserver/database/temp/sim_start.txt +++ b/webserver/database/temp/sim_start.txt @@ -1 +1 @@ -1681450588 \ No newline at end of file +1681451148 \ No newline at end of file diff --git a/webserver/main.py b/webserver/main.py index 9376c20..5cc892a 100755 --- a/webserver/main.py +++ b/webserver/main.py @@ -15,7 +15,6 @@ from shutil import copyfile from werkzeug.middleware.shared_data import SharedDataMiddleware from oauthlib.oauth2 import WebApplicationClient from discord_webhook import DiscordWebhook, DiscordEmbed -from base64 import b64decode STARTED = 0 @@ -313,7 +312,6 @@ def api_red_logs(): def api_blue_logs(): global STARTED temp_json_n = request.json - temp_json_n['data'] = b64decode(temp_json_n['data']).decode('utf-8') if STARTED: with open('./database/logs/blue.json') as f: diff --git a/webserver/templates/main/dashboard_main1.html b/webserver/templates/main/dashboard_main1.html index d317166..4dc3578 100644 --- a/webserver/templates/main/dashboard_main1.html +++ b/webserver/templates/main/dashboard_main1.html @@ -1564,8 +1564,7 @@ timestamp_h2 = document.createElement('h2'); data_tag = document.createElement('p'); timestamp_txt = document.createTextNode(to_min_s(document.getElementById('simstart').getAttribute('data-start'), data_entry.timestamp)); - data_txt = document.createTextNode(data_entry.data); - data_tag.appendChild(data_txt); + data_tag.innerHTML = data_entry.data; timestamp_h2.appendChild(timestamp_txt); container.appendChild(timestamp_h2); container.appendChild(data_tag);