Modern applications typically rely on user input to provide the required functionality to the user. In doing so, the application accepts data from an untrusted source. In some circumstances, this data is processed and output to the end user. In other cases, this data is stored by the application for retrieval at a later stage, or for the viewing of other application users or passing onto other services in order to carry out the user request. Cross-Site Scripting is a vulnerability resulting from the lack of or inadequate sanitisation carried out on user supplied data which is then later rendered back to a user.
A variation of Cross-Site Scripting exists which stores the payload in the application which is executed every time the vulnerable parameter is rendered, this is known as stored Cross-Site Scripting.
SoPlanning v1.47.00 was vulnerable to a reflected Cross-Site Scripting vulnerability which when combined with other flaws in the application allowed for a successful account takeover attack. The details below describe each issue and how it led to an attacker performing a password reset for any account within the application.
GET /soplanning/www/taches.php?order=titre&by=test%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E%3C!-- HTTP/1.1 Host: 192.168.0.90 [...] Cookie: dateDebut=02/09/2020; dateFin=02/11/2020; xposMoisWin=0; xposJoursWin=0; yposJoursWin=0; yposMoisWin=0; PHPSESSID=jf7pcv7o25upt9qga1f1hosq11; soplanningplanning_=tpbvfnhe1hqftau0oktue7505c; baseLigne=users; baseColonne=jours; date_debut_affiche_tache=02%2F09%2F2020; date_fin_affiche_tache=02%2F11%2F2020
Figure 1 – XSS Cookie
The following was the response which showed the XSS payload rendered in the document: