Stored XSS via upload plugin functionality in zip format in neorazorx/facturascripts
Apr 21st 2022
Cross-site scripting (XSS) is a common attack vector that injects malicious code into a vulnerable web application. Stored XSS, also known as persistent XSS, is the more damaging of the two. It occurs when a malicious script is injected directly into a vulnerable web application.
Here name parameter is vulnerable to xss. So after replacing the name with the XSS payload in the facturascripts.ini file. XSS payload will be executed after uploading the modified zip file.
Proof of Concept
- log in as a Normal User.
- Download any facturascripts plugin like (https://facturascripts.com/DownloadBuild/93/stable).
- Unzip it locally and modify name = '<script>alert(document.domain)</script>' in facturascripts.ini file.
- Zip it again and upload.
- XSS payload will be executed for all users.
Cross-site scripting attacks can have devastating consequences. Code injected into a vulnerable application can exfiltrate data or install malware on the user's machine. Attackers can masquerade as authorized users via session cookies, allowing them to perform any action allowed by the user account.