I’m writing about a stored XSS which I found on Unifi controller v4.8.12
I was checking unifi website for some possible bugs but was not able to find anything good there then i started playing with unifi controller and some Ubiquiti device which i got from ubnt to test.
I started looking for xss on controller but nothing found!! 🙁
I decided to search further, the devices DB. Then i plugged in Unifi AP AC Lite device, I found that the controller don’t filter the devices name for HTML special characters.
Step 1: Download Unifi v4.8.12 Controller (any OS should work)
Step 2: Open UniFi Controller then it will take some second to start.
Step 3: Now setup your server by providing admin name, password etc.
Step 4: Plug your Unifi AP AC Lite device (any Unifi equipment should work).
Step 5: Change your device name to xss payload in my case i’m using
"><img src=x onerror=prompt(1)>
Step 6: Go to Statistics and boom xss will prompt.
Step 7: $$$ Profit!!!
I’ve attached screen shot of the same.
There isn’t any filter applied to the user input, so this exploit could be used widely.
There isn’t any direct attack that could be used in this exploit, because the attacker need to be admin, otherwise he would be unable to change the devices names. However the attacker (a admin) could use this to exploit on other admin.
One possible use is to steal other admin password, once the password is hashed in the database, he could use the password captured in the XSS attack (maybe using prompt or fake login page) and try some others services, if the victim re-utilizes passwords (what you shouldn’t) he can exploit other services.
Special Thanks To: @93c08539