XSS Attack Targets Krpano-Powered Websites

Overview

The Krpano Panorama Viewer, a popular framework for rendering 360-degree virtual tours, was recently exploited in a widespread reflected cross-site scripting (XSS) campaign known as 360XSS. A vulnerability tracked as CVE-2020-24901 affected Krpano versions up to 1.20.8. The flaw originated from the framework’s passQueryParameters feature, which allowed attackers to inject untrusted content into viewer configuration files directly through URL parameters.

This flaw enabled attackers to compromise hundreds of high-profile websites across government, academic, real estate, and media sectors. The result: malicious redirections, phishing campaigns, SEO manipulation, and client-side code execution on trusted domains.

How the Exploit Works

Krpano allows viewer configurations to be customized via query parameters when passQueryParameters is enabled. In vulnerable versions, user-controlled values are injected directly into the XML or JavaScript configuration without proper sanitization.

A crafted URL such as:
https://target.com/viewer/index.html?xml=
would result in the malicious payload being executed in the user’s browser. Because the script runs in the context of a legitimate domain, it can manipulate content, hijack sessions, or redirect users without triggering suspicion.
This is a textbook example of reflected XSS—except amplified by the scale and reach of the Krpano ecosystem.

Risks and Impact

While XSS is a known class of vulnerability, this instance had broader consequences due to the framework’s widespread adoption and the implicit trust in embedded media.

The 360XSS campaign demonstrated how attackers could automate payload delivery across many sites simultaneously. Scripts were injected to modify visible content and metadata for SEO gain, redirect users to malicious destinations, impersonate brand interfaces, and collect credentials through spoofed forms. In many cases, search engines indexed the maliciously crafted URLs, giving the attack long-term visibility.

Because Krpano-powered pages are often cached or embedded, some of these exploits remained active even after the initial patch was applied, creating a lingering exposure for affected sites.

Detecting XSS in Live Environments

The signs of exploitation are often subtle. Unexpected alerts or pop-ups, strange redirects tied to URL parameters, or altered interface elements are early indicators. Injected iframes or forms, especially those loading external content, should raise red flags.

Unusual URL patterns—such as those containing encoded script tags, base64 strings, or JavaScript URLs—can be found in access logs. Security teams may also notice sudden traffic spikes from bots or repeated use of payload-laden links. Console errors, CSP violations, and WAF alerts with suspicious script references further confirm exploitation.

Another key signal is SEO defacement: site metadata or visible text replaced with irrelevant or spammy keywords, sometimes accompanied by unexpected redirects.

Patching XSS Without Breaking the Site

Mitigating XSS vulnerabilities doesn't require sacrificing usability or legitimate functionality. The following approaches are effective and safe to deploy:
◾ Use context-aware encoding. Escape output based on where the input is rendered—HTML, attributes, JavaScript, or URLs. This prevents executable content from being interpreted.
◾ Adopt secure templating frameworks. Engines like React, Handlebars, and Django templates automatically escape untrusted content. Avoid building HTML or JavaScript manually with user inputs.
◾ Implement a strict Content Security Policy (CSP). A well-configured CSP prevents unauthorized script execution even if an injection occurs. Prefer nonce-based or hash-based policies over unsafe fallbacks.
◾ Sanitize only when rendering HTML. If user content needs to include formatting (e.g., comments with bold or links), use libraries like DOMPurify or Bleach to strip dangerous elements while preserving safe tags.
◾ Avoid dangerous APIs. Functions like innerHTML, eval(), document.write(), and setTimeout(string) should not be used with dynamic content. Safe alternatives like textContent and createElement() offer the same flexibility without the risk.
◾ Disable auto-injection features. In Krpano, disabling passQueryParameters eliminates the primary attack vector. The same principle applies across frameworks that auto-parse or bind query parameters.
◾ Escape server-side outputs. Even in SSR contexts, sanitize and encode outputs right before rendering, not just at the data ingestion point.

Recommendations for Krpano Users

To mitigate and prevent future exploitation:
◾ Upgrade to Krpano version 1.20.9 or later, which patches the vulnerability.
◾ Disable passQueryParameters in all viewer configurations unless explicitly required.
◾ Conduct perimeter audits for suspicious or previously cached URLs with unsafe query strings.
◾ Enforce a strong CSP to contain any new or unknown injection attempts.
◾ Apply server-side input validation to all external data sources feeding into the viewer or its configuration.

Conclusions

The 360XSS campaign highlighted how quickly and effectively client-side vulnerabilities can be weaponized at scale—especially when embedded tools are involved. Frameworks like Krpano offer powerful media experiences, but their flexibility must be balanced with hardened security practices.

XSS is preventable. When caught early and patched responsibly, it doesn’t need to result in defacement, data exposure, or reputational damage. Defense-in-depth and secure-by-default configurations remain the most effective path forward.