search

AlexDarigan / secureapp

0 stars 0 forks source link

5. Reflect XSS On Login Page #11

Open AlexDarigan opened 2 months ago

AlexDarigan commented 2 months ago

Vulnerability

Reflective XSS

Description

XSS (Cross-Site Scripting) is the act of injecting malicious code into a web page which is then executed interacted with by the target. In Reflective XSS, the attacker investigates a real website for any area where it may produce output (e.g a form input rendering its input to the screen) unsanitized. This allows for code to be injected into the website that can produce malicious actions, such as stealing the users cookies, allowing the attacker to hijack the targets session. Once the attacker has injected a vulnerability, they send the malicious link to the target who clicks on it, at which point the malicious code will execute.

Located

In the function 'failedLogin', the session 'failedMessage' is including the unsanitized user id, which is then rendered to the screen in index.php (Line 94)

HTTP request type

POST Request

Vunerable parameter / behaviour

The 'failedMessage' session variable and the 'uid' parameter retrieved from the form input.

Payload / actions for reproduction

  1. Create a form that sends the post request with the malicious payload stored in the UID variable
<form action="https://localhost/project/includes/login.inc.php" method="POST">
<input type="hidden" name="uid" value="<button onclick='alert(0)'>malicious code</button>" />
<input type="hidden" name="pwd" value="somepass" /> 
<input id="malicious" type="submit" name="submit" value=""/>
</form>
<script type ="text/javascript">
    window.onload = function(){
        document.getElementById("malicious").click();
    }
</script>
  1. Send the link to the target
  2. Target clicks on the link and opens the form
  3. The form automatically submits itself with the malicious code

image

Code fix

Sanitize the characters before rendering them to the screen

function cleanChars($val)
{
    $safe = array(
        '&' => '&amp;',
        '"' => '&quot;', // Double Quote
        "'" => '&#039;', // Single Quote
        '<' => '&lt;',
        '>' => '&gt;',
        '(' => '&#040;',
        ')' => '&#041;',
        '{' => '&#123;',
        '[' => '&#91;',
        ']' => '&#93;',
        '}' => '&#125;',
        '/' => '&#47;',
        '\\' => '&#92;', // Backslash
        ';' => '&#059;'
    );

    $sanitized = "";
    for ($i = 0; $i < strlen($val); $i++) {
        $char = $val[$i];
        if (isset($safe[$char])) {
            $sanitized .= $safe[$char];
        } else {
            $sanitized .= $char;
             }
    }
    return $sanitized;
}