CVE-2017-6396
📋 TL;DR
CVE-2017-6396 is a cross-site scripting (XSS) vulnerability in WebPageTest 3.0 that allows attackers to inject malicious HTML and scripts via the compare-cf.php endpoint. This affects any organization running the vulnerable WebPageTest version, potentially compromising user sessions and website integrity.
💻 Affected Systems
- WPO-Foundation WebPageTest
📦 What is this software?
Webpagetest by Webpagetest Project
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal session cookies, perform actions as authenticated users, deface websites, or redirect users to malicious sites, leading to full account compromise and data theft.
Likely Case
Session hijacking, credential theft, or website defacement through injected malicious scripts that execute in users' browsers.
If Mitigated
Limited impact with proper input validation, output encoding, and Content Security Policy (CSP) headers preventing script execution.
🎯 Exploit Status
Exploitation requires user interaction (visiting malicious link) but is straightforward with public proof-of-concept available.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Versions after 3.0
Vendor Advisory: https://github.com/WPO-Foundation/webpagetest/issues/820
Restart Required: No
Instructions:
1. Upgrade WebPageTest to latest version. 2. Apply input validation and output encoding fixes from GitHub issue #820. 3. Test the compare-cf.php endpoint for XSS vulnerabilities.
🔧 Temporary Workarounds
Input Validation Filter
allAdd server-side input validation to sanitize user-supplied data before processing in compare-cf.php
# Modify webpagetest-master/www/compare-cf.php to filter user inputs
# Example: htmlspecialchars($_GET['parameter'], ENT_QUOTES, 'UTF-8')
Content Security Policy
allImplement CSP headers to restrict script execution sources
# Add to web server config or PHP header: Content-Security-Policy: default-src 'self'
🧯 If You Can't Patch
- Disable or restrict access to the compare-cf.php endpoint via web server configuration
- Implement web application firewall (WAF) rules to block XSS payloads targeting the vulnerable endpoint
🔍 How to Verify
Check if Vulnerable:
Test the compare-cf.php endpoint with XSS payloads like <script>alert('XSS')</script> in user-supplied parametersCheck Version:
Check WebPageTest version in configuration files or via web interfaceVerify Fix Applied:
Verify that script tags and HTML injections are properly sanitized or escaped in the compare-cf.php output📡 Detection & Monitoring
Log Indicators:
- Unusual POST/GET requests to compare-cf.php with script tags or encoded payloads
- Multiple failed validation attempts on the vulnerable endpoint
Network Indicators:
- HTTP requests containing <script> tags or javascript: URIs targeting compare-cf.php
SIEM Query:
source="web_server" AND uri="*compare-cf.php*" AND (content="*<script>*" OR content="*javascript:*")